Hackers took down the sites by inflicting a denial of service, or DDoS, attack, in which they fired Web traffic at a site until it collapsed under the load. Though the indictment mentions 13 hackers, thousands more participated in the attack by clicking on Web links that temporarily turned their computers into a digital fire hose aimed at each victim, in this case the Web sites.
According to the indictment, which was handed up at Federal District Court in Alexandria, Va., the hackers’ tool of choice was a simple open-source application known as Low Orbit Ion Cannon, which requires very little technical know-how.
Hackers simply posted a Web link online that allowed volunteers to download an application that turned their computer into a “botnet,” or network of computers, that flooded targets like Visa.com and MasterCard.com with traffic until they crashed.The indictment is available here.
This attack was known as "Operation Payback" and seemed to have been launched as a way of protesting strict intellectual property laws and entities. The attack targeted the U.S. Copyright Office, the Motion Pictures Association of America, and Mastercard, and others.
Mike Maznick at Techdirt uses this incident as an raise the argument that DDoS attacks should not be treated harshly because they are a modern equivalent of a sit-in (he has raised this argument before: see here and here). I have strong doubts about the strength of this argument, namely because launching a DDoS attack does not carry with it the same expressive connotations as appearing in a certain place in protest. Moreover, the information "communicated" through the attack is not expressive because it is not meant to be read by the recipient -- rather it is meant to override the recipient's capacity to read.
Maznick and other commentators also criticize the damage portion of the indictment that alleges that the attack caused over $5,000 in damage -- with Maznick wondering how DDoS attacks cause damage and with ARS Technica's Cyrus Farivar sniping that Mastercard makes millions in profits.
These arguments are also misguided. DDoS attacks can certainly cause damages. As this report indicates, lost productivity and reputation costs are ranked as the most significant costs of these attacks, though damage to property and equipment also made the list. Moreover, these attacks can cost their victims anywhere from tens to hundreds of thousands of dollars, depending on the size of the attack. The indictment lists damages of $5,000 because that is the minimum damage amount required by the criminal statute.
Finally, Maznick ponders how a DDoS attack can cause damage "without authorization," as any member of the public is free to send traffic to websites. This concern is a little bit more interesting, but also mistaken.
The prosecution is claiming that the defendants conspired to violate 18 U.S.C. section 1030(a)(5)(A), among other provisions. This section prohibits individuals from:
[K]nowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer
This provision of the code, at a quick glance, may seem to criminalize transmitting programs or code without authorization, but upon a closer reading, it is apparent that the term "authorization" does not modify the "transmission of a program, information, code, or command," provision. The transmission activity the statute describes is amalgamated into the single term "conduct", which in turn is set apart from the damage element of the statute where "without authorization" appears.
This reading of the statute indicates that the "without authorization" modifier only applies to the damage element. Even if one successfully argues that members of the public have an implied authorization to send emails to any address, this authorization does not exonerate those who use emails to send destructive files or viruses.
No comments:
Post a Comment