
Former YouSendIt CEO pleads guilty to Web attack on his old company - dirtae
http://latimesblogs.latimes.com/technology/2011/06/yousendit-guilty-khalid-shaikh.html
======
snowmaker
Whoa .. there is a big story in here somewhere, which appears to have gone way
over the head of the LA Times hack who wrote this regurgitated press release.

He was arrested on criminal charges for running a simple benchmarking program?
By the company he was formerly the CEO of?

This is patently ridiculous, and can only be a case of YouSendIt having some
major grievances with him about something else, or some other kind of ulterior
motive. It seems only reasonable that he was running apache benchmark for
curiosity, not with any serious malicious intent, and is now being held on
some trumped up charges concocted by people out to get him.

If anyone knows of an article that actually explains the relationship between
YouSendIt and their former CEO, please link to it.

~~~
tomkarlo
"This is patently ridiculous" ... how? The guy plead guilty to what was
essentially a DOS (corrected from DDOS) attack intended to interfere with the
company's ability to do business. Was it a really simple attack? Yes. But I'm
not sure that's relevant. It's kind of like being caught trying to burn
someone's house down and then claiming you were just testing to see if it was
flammable.

~~~
snowmaker
How do you know that he intended to interfere with the company's ability to do
business? Sure, that's what the FBI said (channeled, presumably, from
YouSendIt), but he could have just been running apache benchmark as a simple
test to see how the server would respond.

In fact, the allegation doesn't really make sense, because as the former CTO,
if he had really wanted to interfere with the company's ability to do
business, you'd think he could have found much better ways to do so. Logging
in and deleting the company's data, turning employees/investors against them,
or writing negative articles about them would have had a far greater
consequence on their business than running an apache benchmark program.

To be clear, I'm not claiming to know what happened; I'm just saying that this
press release is a deeply one-sided view of the story, and that the situation
smells funny.

~~~
tomkarlo
Well, at this point, that's what he himself has said, since it was a guilty
plea. Presumably he had to admit not just his actions but his intent / malice.

~~~
enjo
While I tend to agree with you that he likely did something malicious, a
guilty plea in this day and age doesn't really tell you that.

He may have been taking a plea bargain out of fear of much worse?

~~~
Stormbringer
The problem with pleading guilty, is that then everyone thinks that you're
guilty.

------
seats
>> "By intentionally transmitting the ApacheBench program to YouSendIt's
server..." the FBI said in a statement.

This statement makes it clear how unfamiliar the FBI is with technology.

~~~
powertower
No. The payload was the binary ab.exe (ApacheBench), sent over and over again
using the YouSendIt service, which sends files from person A to person B
instead of using email.

~~~
brown9-2
What would be the point of this? Why send _ab_?

~~~
ceejayoz
It would certainly send a statement. "You really should be using ab for load
testing. Here, have a million copies of it."

------
staunch

        $ ab -c 500 -n 1000000 http://example.com/some/resource/intensive/url
    

Amazing how many sites this kind of "attack" would take down. Most sites don't
have any throttling in place to stop it.

~~~
phpnode
Although there was obviously malicious intent here I think it's amazing that
typing one line into a terminal can result in (potentially) 5 years in prison.

~~~
GigabyteCoin
Pulling a trigger is pretty easy too.

~~~
kristofferR
Yeah, but the difference between killing someone and making a website go down
is pretty huge. 5 years for a DOS is insane

~~~
OstiaAntica
I don't know, it is a pretty vicious act to knock someone's business offline.
Worse than car theft. DOS could be disrupting thousands of lives and commerce
or research, depending on the site. Five years seems about right if the intent
is malicious.

~~~
duck
You could also say not setting up the right infrastructure to stop such an
attack is malicious of the owners of the site.

------
jonknee
It's pretty pathetic that a file transfer site can be harmed by a single user
running ab. I really hope there is more to this. I run ab all the time on my
own stuff, I didn't know I could go to prison for something as simple as
testing the performance of a site I used to run.

------
desigooner
Isn't he the same guy who was barred from the iOS store for creating crappy
apps that were essentially just webpages packaged as applications?

Wonder whatever happened to that ordeal

------
jonknee
tl;dr "web attack" = ApacheBench

------
ChuckMcM
More about Khalid : <http://blekko.com/ws/Khalid+Shaikh+/techblogs>

I agree with comments here that this is one of those 'these facts don't sound
like the story in which they are presented' Given the timeline of his
relationship with YouSendIt its possible he had a grudge against them, just
speculation though.

------
mmaunder
The fact that he got caught suggests he didn't bother to cover his tracks
which is fairly easy to do. So how do you not realize that throwing a brick
through your old employers front window isn't a crime?

------
powertower
Maybe they swindled him out of his vested options too.

------
powertower
For those that are getting confused.

What he did was something like this...

    
    
        C:\Apache\bin\ab.exe -c 500 -n 5000000 -p ab.exe http://yousendit.com/send-it
    

Using ab.exe to POST the binary ab.exe over and over using the service
(yousendit) which send file1 from user1 to user2.

~~~
tomkarlo
Are you getting this from somewhere other than the OP and linked FBI
statement? Just wondering if someone else has written about this case...

