"We have noted that similar attacks have also been carried out against Wikileaks itself, yet so far, nobody has been arrested in connection with these attacks, nor are there even any signs of an investigation into this issue at all,"
I think that is one of the most important points of this article.
For a law enforcement agency to investigate the Wikileaks would require Wikileaks to turn over their server access logs, including every visitor to the site for the period of time in question. They would be basically finished in terms of getting dissidents to visit the site or hand over information if they're seen as turning over any sort of visitor-identifying info to any sort of law enforcement agency.
If neither the perpetrator nor the servers are in the U.S., theres not likely to be any jurisdiction, but it's not actually necessary for the targeted servers to be in the U.S.; it's sufficient for jurisdiction for the (alleged) perpetrator to be operating from the U.S.
I meant, does anyone investigate them end-to-end, and not just in their own country? I find it hard to believe that the FBI interacts well with law enforcement in, say, Poland.
well the RCMP and the FBI work together very closely, for one. An American FBI agent can get more done in Canada through RCMP connections than a rich and powerful Canadian can.
Yes, and vice versa, lets say the RCMP needs someone sent to Syria for 'questioning', then they'd phone the FBI and tip them off that such a person is coming to the US. And the FBI would promptly send them to Syria for 'questioning' of course also ignoring their citizenship and duty to deport people back to their country of citizenship.
I know it's hard to believe, but law enforcement of different countries indeed does cooperate really well, often even if these countries don't have very good diplomatic relationships.
I love this part. It's obvious that, for the first time in the lives of these Anons, sh%t actually got real.
(I don't mind any downvotes you see fit to give me, I have always found it laughable when Anons expect to break the law and suffer no consequences. Whether or not it is a good law has no bearing, that's not how civil disobedience works.)
I'm not a fan. These are guns we are talking about, not paperwork. Paperwork is the shit that's real, guns are just there to make you feel helpless. And also to kill you.
But the kids would have laughed at paperwork until it was all over, and then possibly still laugh at it. With the guns, they just experienced the severity of their action that a whole armed FBI-team had to come in to deal with the situation.
If it's a paper in the mail that says "we know it's you", I'd be pretty scared.
If it's a policeman at the door saying "come in for questioning", I'd be shitting my pants.
If it's three policemen saying "we've come to take all your PCs", I'd be confused and seriously contemplating future involvement with the group.
If it's a bunch of thugs breaking the door, grabbing my pcs, iphone, xboxes, lady gaga cd's and threatening to kill me if I object, I'd start looking into getting more involved with political activism.
At least, that's how I think I would react, before dealing with the paperwork.
Entering with an armed team is SOP, mostly to protect policemen. These are just guys doing a job, in the vast majority of cases a good and just job, who want to go home to their wives and children in the evening. Some (most) raids could theoretically be done by just knocking on the door; but sometimes some crazy man will start shooting back, or running away, or try to destroy evidence. Rush-entry raids with flashbangs etc. are designed to cause maximum confusion so that the people in the house are disoriented for a short time, hopefully long enough to be cuffed.
Anyway like I said sometimes these could be done by one guy with a briefcase, but how are you going to decide when to raid and when to knock on the door? And who is going to decide? When somebody makes a wrong call and a policeman gets killed, there's going to be a ruckus (police union, other policemen feeling unsafe causing worse performance, etc.) So the safe thing to do is to err on the side of caution. Sucks for those being raided when it wasn't really necessary, and even worse for those being raided in error, but as always it's a trade off.
That's how it came to be. IMO perfectly reasonable. One can disagree with specific cases, I do too; but try to put yourself in the shoes of someone designing or managing a law enforcement organization or system. If you have a solution that mitigates the problems yet addresses all the points and many more I brought up above, many many people would love to hear about it.
I'm sorry, but this is FUD. I have at least two objections to what you say (for the record, I'm not american).
1. Do you really want to live in a society where a visit from the police means a busted door just in case? If things degenerated so badly, the police has already failed, and failed hard. I mean Rwanda/Congo hard.
2. Since we both know this is not the case, and most visits from the police are done in the old-fashioned knock-on-the door manner, we have to wander if a pimpled faced computer hacker has _any_ quality making him more dangerous then average. I suppose a bureaucrat might go and say hacking was an act of terrorism and terrorists use bombs, but for any sane person it's pretty clear he is not above average. He's scraping the bottom of the barrel, statistically speaking.
I therefore tend to conclude that the busting of the doors is uses as a deterrent. A message for the Anonymous that if you play with fire, you'll have FBI agents with guns in your room.
Re: 1, maybe I didn't make it clear enough in my original post, but indeed in general police do knock on the door, so I think we agree on this point - raids are the exception rather than the norm, but my point was that if there is any doubt at all whether or not a raid would have any advantages, then the raid option will be chosen over the knock-on-the-door option.
With this clear - re: 2, and in the specific case of computer crime, raids are SOP because suspects have a high probability of destroying evidence; at least here in the Netherlands (and policy here are, to put it mildly, not the Wild West type) this is the reason and practice. There have already been a number of cases where suspects (in child pornography cases) were literally forcefully pulled from behind a computer because they were deleting files as soon as they got wind of the police.
So yes, in case of computer crimes, entering with force does make sense (maybe not always - there have also been cases of 16 year olds where the police showed up when they were in school).
We don't know the real circumstances of these raids. Maybe there was a deterrent/revenge component (which would be illegal and undesirable), we don't know. Point is that the knee-jerk reaction(s) I was replying to are just that, and lacking any nuance. Many interests have to be weighed and safety of police officers and having a reasonable chance to save evidence are some of the factors that have to be weighed against the interests of the suspects. This may sound, in the limited context here, like I'm advocating a police state and anyone who knows me IRL knows that I usually am on the far opposite of that; but some force on entry is not a big a deal as some people make it out to be.
My (admittedly long-windedly made) point: no you're not being oppressed because the police put a hole in your door in the course of investigating your malicious disturbance of someone else's business.
Well, around here the cops know who has guns, as well as whether they're known to be a bit crazy. The police are also usually not treated like an invading army, so it's apples for oranges.
I'd at least suggest holstering the weapons until they're needed and weighing the probability of encryption against the probability of forceful self-defense, case by case. If for some reason there's reason to believe that the person is working next to both a loaded gun and an encrypted disk, sure, treat it as a hostage situation and call swat or the wiretappers in. I don't think that's the norm, though.
"The police are also usually not treated like an invading army"
(emphasis mine)
This shows you don't understand the point (I'm not so much talking about this specific case or even raids on computer criminals anymore, rather in general). The exact point is that sometimes it does happen, but you don't know why. That's why you need to treat every opportunity, no matter how minute, as more dangerous than it actually is, or than you actually think it will be, because the consequences are so out of balance.
Let me put it this way: do you feel that 500 unnecessarily forceful raids, each destroying a door and 2 pieces of furniture, and taking a night of sleep away from 500 individuals, are better or worse than 1 policy officer shot in the leg (not even deadly)?
I think the shot wound is worse, and therefore wouldn't mind authorizing a raid even when I'm not 100% sure there is acute danger. Actually I'd authorize when there's even just a 1% chance of forceful resistance with a knife.
(the trade off may get different when suspects are harmed in the raid, I'm assuming sufficiently trained police people)
"and weighing the probability of encryption against the probability of forceful self-defense,"
This I don't understand. I'm quite sure no suspect will try to fire at policeman with their Truecrypt USB drive.
"If for some reason there's reason to believe that the person is working next to both a loaded gun and an encrypted disk"
The 'and' between 'loaded gun' and 'an encrypted disk' should be an 'or'. Just one of the two is enough to warrant force.
Assuming that, well that's already the trade off being made. I just think you underestimate the amount of criminals using encryption. Even if only 5% of them do use it, that already makes it likely enough that any random one (because remember, before you enter you don't know what you will find) will use it to warrant force. QED.
I considered not using that word (usually), but decided I don't know enough to remove all weaseling. I didn't intend it to be taken as representative of my understanding. However, from your exposition, it seems fitting.
I'm firmly against all examples of zero tolerance. From your example, I think 500 disturbances of peace and destructions of property is far worse than one realization of a work hazard. I would draw the line at perhaps 10. There used to be a principle that it is better to let 10 guilty men walk than convict a single innocent - do you not subscribe to this either?
I'll clarify what I meant with the juxtaposition of encryption and forceful resistance:
encryption is a justification for occupied searches, since you need to confiscate the electronics while they are unlocked. I don't know if that's actually done, though, since it's my understanding that the electronics are routinely removed from the premises and disconnected in the process. This scenario does not warrant the use of any force.
Armed defense is a justification for surprise arrests, since you need to arrest the suspect when they're not in defensive positions. A good time to do this is during ingress or egress. This situation does not warrant the use of devastating force.
The only reason to assault a dwelling with shock tactics would be to capture armed resistance in the act of handling evidence. Perhaps that's an actual worry for the FBI, who seem to assume all of their suspects are paramilitary, but I don't think it's a reasonable worry in the majority of cases, even the ones handled by the FBI.
I hope you now understand better where we disagree.
I'm dead serious if I saw a swat team coming to my house I would start shooting with my ak-47 well that's what I think I would do I wouldn't care shot about there kids I've never committed any crimes yet well it actully depends cause if they were there with out any swat teams and stuff like that I would let them in as you might know AK-47 rounds are armor piercing so reber that but the second they tried taking my computer I would start shooting or I'm might get a dummy greanade out that looks like the real one and hopefully they would start running you are probly wonder what's on that computer I got ill make it into a ? A) porn b) its the computer that I can download songs for ipod c) none of the above d) all of the above and the correct answer was c the reason is I haveworld of warcraft on my pc Ithink me and everyone who plays it is at least a little addicted to it cause me and everyone who plays it plays it pays 15$ a month but hey its a good game so and its worth the money and if you live in California and you are looking for a job they might hire you if you ask and if you get hired you get it free for 25 years but I'm actully not sure if they are hiring cause I live in virgina so don't get your hopes too high and um I apologize for not using paragraghs I'm actully typed this on my phone
I find it laughable that the cops felt the need to use real guns against a "Low Orbit Ion Cannon". Guns against unarmed kids (criminal or not) - that's not how jurisdiction should work.
I thought it was funny that he needed to emphasize or even say "real." You either have a gun pointed at you or you don't. Does the FBI sometimes burst in with water pistols?
>The FBI yesterday reminded the public that "facilitating or conducting a DDoS attack is illegal, punishable by up to 10 years in prison, as well as exposing participants to significant civil liability."
What exactly is the relevant statute? As the other Ars article on the subject states, it's the digital equivalent of a sit-in.
Wikipedia suggests 18 U.S.C. § 1030, the Computer Fraud and Abuse Act[0]. Here's the relevant part:
> Whoever ... knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer ... shall be punished as provided in subsection (c) of this section.
> As used in this section ... the term “protected computer” means a computer ... which is used in or affecting interstate or foreign commerce or communication...
By my (not a lawyer) reading, the only real question is whether being overwhelmed with traffic can be called "damage".
It's silly to pretend that a DDoS attack is the same as a sit-in, such a contention is intellectually and morally bankrupt.
Moreover, sit-ins are not legal either. If you choose to attempt to disrupt a place of business and you refuse to leave private property when asked to do so you can be arrested.
> such a contention is intellectually and morally bankrupt.
Could you expand on this a bit? I actually believe that it's very close to the same thing, but I'd like to hear your reasoning.
> Moreover, sit-ins are not legal either.
You are correct. This is why it's called 'civil disobedience.' Sometimes, the best way to change a law is to break it. And break it publicly. It doesn't mean that you'll be spared a sentence, but the idea is that the sentence is worth it.
The purpose of a sit-in is to stage a non-violent, disruptive protest which forces a response, typically being arrested, from a business owner or government. If there is no response because, for example, the business owner is too shamed to respond then either the disruption continues until the protesters demands are met or the protesters eventually give up. If there is a response, such as use of law enforcement, then there is the opportunity for the protesters and their cohorts to get the message out, raise awareness, and gain sympathy and support from the public at large.
Anonymity changes the equation entirely. Sit-in protesters blatantly flout the law and beg to get arrested, so as to demonstrate their conviction for the rightness of their cause and to gain publicity. Anonymous DDoSers aim only to disrupt, whatever message they have is lost to the public because nobody can know for sure who the people responsible (4chan also apparently DDoS'd minecraft.net for a while, what was the purpose of that? wikileaks itself was DDoS'd for sometime, what was the purpose of that? it's hard to say because these are just anonymous attacks rather than actual, disciplined protests). DDoS participants don't expect to get caught, let alone to be arrested, as witness the reactions of the folks in the main article.
An anonymous, or attempted anonymous, denial of service attack is more akin to throwing bricks through a storefront window or arson. It is disruption completely unmoored from personal sacrifice, civil disobedience, or the context of a cause.
It is thus properly a more violent form of protest than a sit-in and we have all the more reason to despise such things because of it.
If you're smart and know that using your home PC for DDoS attacks is likely to result in trouble for you, a DDoS attack is no less sacrificial than a sit-in (in fact, due to the propaganda against "hackers", you're quite likely to get a harsher sentence).
Also, where do you get the idea that non-violent protest doesn't hurt the people being protested against? If someone chains himself to a tree about to be cut down, cutting the chain will disrupt the tree logging operation. Greenpeace isn't violent, but some people/organizations hate them, and with good reason. Gandhi wasn't violent, but he did cost the British a sizable chunk of their empire (which they'd arguably have lost anyway, but still.)
Now, DDoS is likely not as effective a protest as a sit-in, and it's entirely possible that most of the anons figured they'd never get caught - but that's not the point.
As I mentioned, sit-ins are non-violent, disruptive protests designed to raise awareness.
This does not mean that any form of disruption is analogous to a sit-in. If you know that you'll be arrested for a DDoS attack then certainly that's a sacrificial act (though to map closely to a sit-in you'd have to announce publicly what you are doing). However, even then that doesn't necessarily account for the damage participating in a DDoS can bring. Sit-ins rarely cause the loss of hundreds of thousands of dollars in business.
As it stands the debate is academic and the comparison is irrelevant. To date the number of DDoS attacks that have been carried out in public with full listings of the names and contact information of the participants is precisely zero.
You can hide behind a mask, or an IP, and you can throw your packets or your molotov cocktails at those folks you consider "the bad guys", securely smug in your knowledge that you're fighting the good fight. But that's an illusion. You're not Ghandi, you're not Rosa Parks. You're just another jerk with an ax to grind who doesn't have the guts to accept any consequences for his actions.
The reason sit-ins are lauded and DDoS's are shunned is because people who abuse the disruptive power of a sit-in to fight for worthless causes or their own self interest are simply sent to jail. Whereas most perpetrators of DoS attacks go uncaught.
I suspect that most of these people had no realization that reality would come and bust in their door. There remains a widespread illusion of anonymity and invulnerability when it comes to the tubes.
My conception of a sit-in has no relation with anonymity. The important portion of a sit-in is the occupation of space. The space is occupied to disrupt the normal flow of activity, so as to draw attention to a cause. I'm not sure how a protest being anonymous goes from violent to non-violent.
Yes but for it to be a "sit in", the space had to be occupied by your physical body.
You could simply occupy space through other means such as placing a large heavy object in the store or place of business, but that would be considered 'dumping' and not a sit-in.
The real question is whether Anonymous's legion of teenage trolls understands what civil disobedience means (i.e. that you are supposed to get arrested).
EDIT: Anonymous has demonstrated an increasing political savvy and awareness, first via the protests against Scientology, but also with some smaller things that were tried that didn't spark such media coverage, like Operation CNTroll, for example. Characterizing all of Anonymous as being ignorant children is just wrong. Not all of them are doing things for political reasons, but the leadership most certainly is.
I agree that the Anonymous leadership is politically savvy (so they're probably not LOICing from their home computers), but I can't escape the feeling that they view their followers as clueless cannon fodder to be exploited and then discarded.
Are you actually trying to make some moral equivalence between people who participated in a DDoS of a credit card processor because they disagreed with that company's policies and the people risking their lives protesting in Egypt? Seriously?
Struggle is struggle. Wikileaks is just as important of a world issue as Egypt is.
I'm watching Food, Inc. right now. Is the battle over food less or more important than Egypt? What about Tunesia? Different people value different causes differently. A healthy Wikileaks will probably affect my life more positively than a new Egyptian government will, but that doesn't make me less happy for them.
Wikileaks is just as important of a world issue as Egypt
is.
you gotta be kidding. Wikileaks is a little more than Assange's "I am the messiah" project.
BTW, did they leak their own financial matters yet? Where did all donated money go?
Part of the spark for the tunisian uprising was the revelations in the US embassy cables about the billionaire lifestyle of their rulers. Same in jordan.
Oh, so tunisians had no idea about the lifestyle of their rulers prior to wikileaks? I don't buy it.
And frankly, there was a lot more news about Assange's swedish affair than about anything leaked.
They had an idea, but I imagine total access to explicit description taken from private US diplomatic correspondence galvanised preexisting public sentiment somewhat.
What makes anyone think there's such a thing as the Anonymous Leadership?
"Anonymous" is just a cloak that some folks put on from time to time. I supported Anonymous when they were fucking with Scientology. I opposed Anonymous when they were fucking with Mastercard and Visa. But it's not in any sense "the same" group.
I could go and rape a donkey and leave a note saying "Anonymous Did This" if I felt like it -- it wouldn't be in any sense the same group that did other things that Anonymous did though.
Please see my response to tptacek, it's not about censoring them, it's about dollars.
Your point about protesting the same law is a good one, it's the coverage that's really valuable. However, sit-ins are only one form of civil disobedience, and many of them are actually doing the thing that's illegal.
Vote with your own dollars, sure. Boycott Mastercard, sure. But interfering with others' legal expression and commerce is just repeating the same injustice that was done to Wikileaks, and damaging innocent bystanders. Leave their dollars alone.
Getting innocent bystanders involved is literally the point.
Indeed, and in a civilized society, there are rules against hijacking others' dollars and interfering with others' lawful commerce, no matter how just you believe your cause to be. Thus, what you call 'literally the point' is also the 'mens rea' for a criminal prosecution.
That's what makes it so impactful: its important enough that the consequences are irrelevant.
It seems that you place a much higher importance on following the law than I do; I don't disagree with what you're saying, but you seemingly imply that that's a bad thing.
Generally, following the law is good, but I hold no illusions that there's any connection between legality and morality.
"Generally, following the law is good, but I hold no illusions that there's any connection between legality and morality."
Not to nitpick but I hope you meant for this to be hyperbole. In general, the law (at least part of it, the parts that aren't purely for practical reasons such as 'everybody should drive on the right side of the road') purports to embody whatever is thought of as 'the moral common ground' of the society it is operating in. In the margin, the implementation can be debated (an epistemological problem of ethics), but prohibitions on and punishment of e.g. murder, rape and theft have a large and explicit moral component.
The key word there is 'purports.' I don't think that it actually does.
Also, I think that prohibitions and punishment say that they have a moral component, but that's largely due to making it easier for the populace to swallow. Opiate of the masses and all of that.
This doesn't mean that I think that there should be a world without rules, either. But these (at least America's) set of rules certainly don't come anywhere close to representing my morality or ethics.
What? Are you serious? Are you saying that murder is illegal 'to make it easier for the populace to swallow'? Are you saying that measures against capital offenses, various forms of assault, protection of private property and enforcement of contracts "do not represent your morality or ethics"? Pray tell, then what are your ethics?
(with claims as outrageous as these I feel like I'm being trolled, but there are at least two people upvoting you?)
> Are you saying that murder is illegal 'to make it easier for the populace to swallow'?
No. I'm saying that by using 'morality' as the reasons for outlawing murder is used that way. In reality, it's very simple to derive the reason that murder is wrong: if we're all allowed to go around murdering each other, we'll have to watch our backs the entire time, and collectively, humanity will never move forward. Very utilitarian. No morality about it.
> Are you saying that measures against capital offenses, various forms of assault, protection of private property and enforcement of contracts "do not represent your morality or ethics"
Yes, I don't think that John Locke was the absolute end to philosophical thought. "Private property" and the accumulation of capital have been the root cause of a large amount of the injustices in the world. Greed is not good. Markets don't work.
> Pray tell, then what are your ethics?
I'm still working out the absolute details, but I'm most certainly in some part of socio-anarco land.
> (with claims as outrageous as these I feel like I'm being trolled, but there are at least two people upvoting you?)
It's because you're thinking on the surface too much. For example: America's rape laws are not in line with my morality. This isn't because I think rape is all good and fine, it's absolutely abhorrent. However, in the eyes of the law, an 18 year old and a 17 year old having sex is wrong, and the 18 year old will be branded a sex offender for life. This is wrong. I don't agree with it.
@1, It's not because there is one reason for something, that that is the only reason. Law is an amalgamation of practical and moral considerations. It would be much more utilitarian if we'd neuter or euthanize everybody with an iq under 90 at age 18 or 25, yet we don't. Is it because of some other utilitarian reason? No we don't because it's a violation of a moral right to self-determination.
@2, I shouldn't say this but I'm getting downvoted left and right today anyway: why aren't you posting from North Korea if it's so great?
@4, this is in the margin. This discussion started with you claiming that "America's (presumable, most of the West's, or even most of the world's) set of rules don't even come anywhere close to representing your ethics", but the only thing you disagree with is some implementation detail (an implementation detail, oh irony, where the tradeoff between morality and utilitarianism was made more in the direction of utilitarianism - statutory rape serves to make prosecution easier).
This really isn't the place or the time to debate most of these things, but I'll leave you with one last reply before this goes even further offtopic:
I'm not saying that I'm utilitarian. Its just that morality can be used as a tool to produce policy that has nothing to do with morals: see the invasion of Iraq, for example. I think we're actually agreeing here.
North Korea is nothing like an anarchist society, and "if you don't like it, move" is not an argument anyway.
In this case, I brought up something that's an implementation detail, because it's an easier segue into the topic. There are other things that are larger, such as the mentioned private property issue.
I think the rules against sabotaging others' commerce are good rules; a moral person would follow them even if they weren't written down.
Also, even if you get the desired headlines and attention, I don't think you score points against bad rules by violating good rules. I believe more people concluded Anonymous/Wikileaks are vandals and bullies from hearing about (or being affected by) the DDoS attacks, than came around to sympathy for Wikileaks.
So orthogonal from any 'letter of the law' analysis, it was an immoral and counterproductive thing to do.
If the 'sit-in' directly blocked the objectionable activity, a different analysis might apply. (And, more bystanders might be sympathetic.) But this, and most other 'sit-ins' I've seen, are just rudeness for attention. Moral and effective activists will choose other tactics.
And regarding: "its important enough that the consequences are irrelevant"
That way lies zealotry, madness, impotence, chaos. The real consequences always matter. The advocate who forgets, in their passion, that consequences matter becomes others' tool, often against their own interests.
> I think the rules against sabotaging others' commerce are good rules; a moral person would follow them even if they weren't written down.
I agree with your statement on its face, but there are certain times when it's okay to break the rules. Sometimes you have to do bad things to achieve good ends. No action is ever white or black, there are only shades of gray.
> If the 'sit-in' directly blocked the objectionable activity, a different analysis might apply.
They did disrupt. Maybe not as much as Anon would have liked, but they did.
You're misreading directly blocked to mean something else, what you want it to mean, general disruption.
Directly blocking the objectionable activity would be something like blocking a disputed eviction, or preventing the deployment of people/resources that are necessary to enforce a bad law. The disruption actually stops or reverses the objectionable activity, for the duration it can be maintained. That's targeted, and far more understandable as a (possibly) principled, non-hypocritical tactic.
Disrupting other things, because you hope to break your opponents with discomfort inflicted through uncivil means, is what crosses the line, a line beyond simply 'law'.
There are thousands of people involved. I'm sure that some people want to be Neo, but not all of them, not by a long shot. Also, if you'll note, Neo had a political cause...
I didn't participate in any DDoS, but it's not like this stuff happens in secret. All you have to do is know where and how to look. It's not exactly secret where these kinds of things are organized and discusssed.
I am okay with 'any kind,' _as long as it's a reasonable response_. For example, if you stepped outside right now and shot a cop, I'd think that you were a bad person, even though I dislike police. However, if some dude in Egypt right now shot a cop, I'd probably give him a high-five. Once the cops start shooting, your escalated response is justified.
I was making a general point about civil disobedience.
In this case, Anon believes (and I'm inclined to agree) that MasterCard made a business decision that not dealing with Wikileaks would be the better thing for them to do. However, a DDOS does two things: makes not serving Wikileaks an actual expense, and manages to bring their message to a wider audience. If anon had ran around just saying "MasterCard sucks," nobody'd care, but they've gotten tons of media coverage multiple times (like from this very article) covering their cause. Apparently they think that this is worth going to jail for.
I don't, and didn't participate. But that doesn't mean that I don't see their point.
I think you're onto something. The FBI, by raiding everyone involved in this, is taking the risk of setting a precedent whereby protest-DDoS is proved legal. If the ACLU or other organization throws lawyers at this, its likely that it will be determined that the CFAA does not actually make DDoS, in circumstances where the user only activates a DoS tool on their computer with permission, illegal.
It really boils down to whether a lack of access constitutes "damage". Denial of service happens "naturally" all the time, just not maliciously like this.
The FBI, by raiding everyone involved in this, is taking the risk of setting a precedent whereby protest-DDoS is proved legal
How is that a "risk" for the FBI? On the offchance it is proved legal then that's no skin off the FBI's nose -- they have plenty of other crimes to be investigating.
Well, if we're going to insist on an ironclad analogy, I would say it's something like opening up a fire hydrant and splitting the stream into a bunch of smaller streams, pointing them at a building, and walking away. Except it's more like everyone's garden hoses somehow reach the building with no loss in PSI, and it's a few dozen people each with their own paltry residential water supply. Now, this does have the potential to cause some damage, but not really anything a heavy rain wouldn't cause. Likewise, a DDoS has the potential to overheat some servers and make some sysadmins lose some sleep, but it's nothing a day of heavy traffic couldn't cause.
It's clearly illegal. But I don't think anyone there has done anything such that 10 years in prison is an even remotely reasonable punishment. I would say it's a misdemeanor at worst, and it should carry something between community service and six months in jail.
And really, the sit-in analogy is probably better than that nonsense I just wrote.
Are you being deliberately disingenuous? It's a distributed Denial of Service which by definition means someone who wants that service can't have it and by extension means that the merchant performing that service expecting revenue from it is denied that revenue.
A single denied credit card transaction can easily exceed the $500 misdemeanor limit. And try telling a business that's operating on razor-thin margins that not being able to process credit cards for a day will "only make some sysadmins lose some sleep."
The same would be true if a bunch of people sat-in on a supermarket chain to protest that chains' actions. Yes, there are costs involved, but there's a difference between stopping someone from making a sale today and destroying $500 worth of property.
This is absolutely absurd logic. DDoS attacks can and do cause measurable hundreds of thousands of dollars of damage. You had to have known that. You just choose to overlook the potential damage here because you support the cause.
Ridiculous analogies aren't helpful. Try something like.. how about standing in front of someone. All day. They can't walk anywhere without pushing past you. Basically harassment and interfering with their day. The damages lie solely in the fact that they aren't able to be productive.
Whole drive encryption. I've seen docu-drama's where they actually break in when they know the suspect has gotten up to go the the bathroom/kitchen so that he can't reboot the computer.
Then, like all things with a shred of reasonableness too them, they become an awesome "check this box every single time" way of doing business for the guys who get their thrills kicking in doors.
> I've seen docu-drama's where they actually break in when they know the suspect has gotten up to go the the bathroom/kitchen so that he can't reboot the computer.
Any specific examples? I'm interested in watching them.
Yup. Sadly no-knock raids have become routine rather than extremely exceptional. It shouldn't be the case, and the fact that it is should be a screaming siren that we need to fix things.
Only one of the reports suggests a door 'busted down'; is that nym known to give reliable, non-embellished testimony? (I can believe that some of the searches might be unnecessarily done that way, but also that there could be exaggeration in pseudonymous reports.)
They're DDOSing websites run by big corporations, so they're obviously terrorists, which means you need to arrest them at gunpoint early in the morning so that you can be sure they won't have time to detonate a suitcase nuke before you can cuff them and get them into the back of the cop car.
DDOS attacks are attacks on the very fabric of the internet. If you believe in the internet, you will not support those sorts of activities. This has a very real ramification for much of the subject matter of HN: The investment community needs to know that any iCompany can't be destroyed by some teenagers with a downloaded tool.
Recall that the last freedom exercise was to try to suppress Gene Simmons' right to free speech (however stupid his opinions might be) by a DDOS on his servers, with all of the collateral damage that entails.
I'm concerned about the knock-down approach by the FBI.
Say I live in a state which allows one to kill home intruders on sight, could I not legally set up an alarm system that sprays some bullets in the direction of the door if it's opened without being disabled? By knocking I can disable it and let them in instead of having a few dead FBI agents on my doorstep.
One of the first cases in a law school tort class is Katko v Briney (http://en.wikipedia.org/wiki/Katko_v._Briney). Briney was a farmer fed up with a break-ins of an abandoned house that he owned. He set up a shotgun to shoot at an intruder's knees if and when the intruder forced the door. Katko, a trespasser, broke in and was shot and injured, sued and won. The quote I remember is (I had to look it up):
‘The value of human life and limb, not only to the individual concerned but also to society, so outweights the interest of a possessor of land in excluding from it those whom he is not willing to admit thereto that a possessor of land has . . . no privilege to use force intended or likely to cause death or serious harm against another whom the possessor sees about to enter his premises or meddle with his chattel, unless the intrusion threatens death or serious
bodily harm to the occupiers or users of the premises.
Of course you couldn't legally set that up, are you insane? On what planet would that be justifiable? Even in Texas, you need to demonstrate a reasonable belief that you were in imminent danger of being robbed or attacked before you are permitted to use deadly force on an intruder in your home.
Somebody bursting down your door in the middle of the night isn't "reasonable belief that you were in imminent danger of being robbed or attacked"? What world do you live in?
Ignore the silly mechanism described, and imagine you're sleeping in bed with your wife at 3am, and are a completely law abiding citizen as far as you are concerned. Why would you possibly have any reason to believe that the people violently breaking down your door and and yelling have good intentions?
This isn't hypothetical, this kind of shit has actually happened. Both innocent people, and cops, have died in these sort of situations.
No-knock warrants (often to the wrong address) are now so common that if I heard my door being broken down I would assume it's the police. The castle doctrine seems like a dead letter at this point. A sad commentary on something, but I'm not sure exactly what.
The grandparent post wasn't asking what would happen if you woke up at 3 AM and shot a policeman mistakenly. He was asking whether it would be legal to rig a booby trap to do it! Those are extremely different situations, to say the least! You're arguing with a straw man.
As I interpreted it, the grandparent post foolishly tried to express his more general question by coming up with a silly hypothetical^ device. The purpose of the device was to injure a police officer as a result of the home-owner not being aware of what was going on.
I've taken the hypothetical device out of the question by pointing out that there are real-life situations where no-knock raids have causes unnecessary loss of life. I'm not arguing with a strawman, but rather restating the grandparents original point/question in a less absurd and tangential fashion.
^I sure as hell hope it was hypothetical anyway...
Yes, my hypothetical wasn't taken so well. I may set up a simple audio alarm with an analog circuit if I ever feel like it, but of course a rigged gun is stupid. (I'd end up making it disabled via remote control too but then I'd worry about it not actually being disabled as I'm opening the door, even if it makes a disabled noise...)
I should have stuck with the Microwave example below, that's cooler anyway.
You're supposed to trust them because they yell "police" or "fbi" as they burst in. Sure an intruder could yell the same thing, but it's the same idea as their badges. Easily faked, but they just have harsh penalties for impersonating law enforcement.
It's 3am and you're sleeping. I don't know about you, but I certainly wouldn't notice first what they were yelling, but rather that there are a lot of flash-lights and load yelling where my locked front door used to be. You could also argue that you're supposed to trust them because they have badges, but the fact of the matter is that expecting you to be reasonably aware of that is, well, unreasonable.
Go read the accounts of people who encountered this sort of situation and were lucky enough to not get killed in the process, whether they fought back or not (just jumping out of bed or daring to act surprised can get you shot here).
I wasn't claiming that it was reasonable. I was claiming what I think the 'prevailing logic' of the situation is. I also was only using the badge example to illustrate a similar situation with law enforcement where they just use stiff penalties to try and prevent what can easily be abused.
Planet Earth. While not exactly the same thing, there were automatic machine guns on the Berlin Wall. I'm not trying to justify it though, just wondering if the police or FBI ever take it into consideration before they go around busting doors before knocking. (Other possibilities include rigging a Microwave without a front door to turn on and temporarily/permanently blind whoever comes through.)
There are legally defensible reasons for breaking into someone else's property. For example, if someone thinks there is someone incapacitated inside, or if someone is running from danger and needs to hide.
Finally, it's not really a booby trap if you're inside deciding which visitors get blasted.
No. I can't find it right now, but there was a burglar who successfully sued a guy who set up some sort of electrical booby-trap. He survived, but injured, and IIRC, won the suit.
It's funny that Mastercard can't defend against an attack that my home router is capable of defending against. (A big limit on connections per /24 per minute should solve this problem. So will using a smart webserver or frontend proxy that doesn't care how many idle connections there are. Then all you have to worry about is bandwidth saturation rather than your servers crashing.)
But the lesson here is, when you visit a web page, a line in a log that identifies you is generated. Generate too many of these lines, and, one line of Perl later, the cops are going to be asking you some questions. Don't participate in a DDoS attack unless you're absolutely sure that nobody is logging your traffic. And that is something that's impossible to be sure of these days.
It seems like it would be trivial to get someone's door busted down by running LOIC aggressively on their computer. I wonder--at what point can the FBI's enthusiastic enforcement be directed, in some sense, as a weapon?
Edit: I've watched Anonymous (insert typical disclaimer about the membership of a heterogenous group of net users) attack more than one of my boxes. DDOS's have been traditionally been the regime of surreptitious botnets, not voluntary ones. I'll bet you some unsuspecting soccer mom (or someone who pisses off Anon) gets nabbed at some point.
They cherry picked a few IP addresses, set surveillance on them, and then chose those few which belonged to people who were active on forums revealing that they were in fact probably guilty and didn't just have a trojan or little brother.
If the FBI intended to comprehensively prosecute every offender your point would be a genuine hindrance. However they only need a few to deter the behaviour and they know this.
Thousands of people participated in these protests, and a handful are going to be made examples of. It's not at all unlike a flesh-and-blood protest.
You can get people to participate in DDoS attacks with a malicious website though.
Just use some JS to create image elements, script tags, iframes etc all with sources pointing at the target, should be able to do a few hundred a second at least.
Even trivial to get people to participate without using javascript. Just pop in a hidden iframe with a million <img> tags in the source.
As things move on, I don't think individuals who happen to fire off a few hundred requests at a website should be investigated/prosecuted/etc. Website owners just need to get better at protecting their systems.
I guarantee the FBI did further surveillance before sending the raids.
They didn't just pick a random IP and then send a team.
They picked the IP, sniffed their traffic, monitored their internet behaviour, read their forum posts, and then finally selected them to be an example.
By performing surveillance like this you can be 99% sure who is a real voluntary participant and who is just a stooge. A voluntary participant will talk about it on forums for example, brag on IRC, etc etc. These will be the ones selected by the FBI for dramatic home visits.
> A voluntary participant will talk about it on forums for example, brag on IRC, etc etc.
So it's like assassination, then: all you have to do to get away clean is to execute only on others' commands, making no plans of your own, and not discussing, bragging, or asking questions. Historically, this leads quickly to a two-level military structure: officers to point, and enlistedmen to shoot.
The only question is whether any sort of hierarchy is possible within a completely decentralized system of mutually non-trusting agents, who are nonetheless driven by either status or belonging. That sounds like it should have a mathematical answer...
Well, if they're snooping your net traffic, then you don't have to say anything on those forums or sites, simply hitting them on port 80 more than a handful of times is probably sufficient. They're trying to differentiate "guy who got botted" from "guy who's doing this manually", and even visiting those sites is probably differentiation enough to establish the probable cause or reasonable suspicion they need for a search warrant.
Just pop in a hidden iframe with a million <img> tags in the source.
Mostly agree, but thought it worth pointing out that no browser will respond to this by parallelizing the million requests - most browsers don't ever open more than a dozen or so concurrent connections to one site. So this wouldn't do as much as you might think, unless you could get lots of users to stay on your page for a long time.
True, although you can probably find all subdomains for the target, or if you're lucky find someone who has setup a DNS wildcard then you'll be able to have a bit more fun and run lots of the requests concurrently.
Maybe my 'few hundred a second' was a bit off, idk
There is a javascript version of the tool (LOIC), so presumably it's effective enough to be useful.
not only that, in Flash you can write a for {} loop that will bombard the target with requests, as long as the movie is running. The ultimate example would be compromising Youtube's SWF player, and using it as a DDOS bot.
Come on, quite a few home routers can't even handle an aggressive Bittorrent client. Yes, DDoS can be defended against, and the fact that the LOIC is pretty primitive helps, but it's not that trivial.
What does being a teenager have to do with being liable? If they're criminally liable, they'll be tried by a juvenile court. If they're civilly liable, their parents will face civil suits.
Are parents civilly liable in the US when their kids do something? That’s under most circumstances not the case in Germany. It is possible but the barriers are extremely high.
A thirteen year-old downloading software off the internet and using it is age appropriate (i.e. it is not reasonable for parents of teenagers to check everything they are doing online), the parents would consequently not be civilly liable in Germany.
(This is my personal extrapolation of the respective German laws. The case I know about is the following: Two twelve year-olds walk home unaccompanied from a nearby playground and decide on their way home to slash the tires of a neighbor’s car with a small swiss army knife one of the kids received as a present. The parents aren’t civilly liable in this case because it is age appropriate for twelve year-olds to walk to a nearby playground and back alone and it is also appropriate for one of the kids to own a small swiss army knife. There is nothing reasonable the parents could have done to directly prevent the incident.)
unlike others I don't pretend to be a legal expert, that's why I've written "most likely not even legally liable" in the first place. I think I've made it pretty clear with that sentence that I'm not sure, but I see it as highly unlikely that persons mentioned in the article will face any serious legal liability over their alleged actions.
But let's wait for the court session (if there will be any), shall we?
With it being Anonymous, I wouldn't be surprised that the main demographic were indeed teenagers. At least those of them who didn't cover their tracks.
I would be willing to bet the teenagers are either most of anonymous or anonymous's cannon fodder. I'm leaning towards the second because it's so much cooler. :)
I think that is one of the most important points of this article.