I watched a documentary on Scientology ages ago about how they were suing the crap out of people for DDoSing their site. The problem was these people were basically just kids, most were ~14 years old, who saw something on 4chan and followed instructions. I believe this was ~2001 [correction: 2008]. One of their lawyers was going with the defence that DDoS was equivalent to a sit-in protest, not unlike those used during the segregation protests in the US in the 1960s, specifically of diners who refused black customers. Sending 200 people into a diner and refusing to move is basically IRL denial of service. Unfortunately I can't remember the exact name of the documentary but this wiki page covers the events https://en.m.wikipedia.org/wiki/Project_Chanology. I always wondered how successful that defence was, I havent been able to find a follow-up.
The major problem with that defense is that sit-ins aren’t legal. There is no general right to occupy private property to make a political point.
You may think that’s what was going in the 60s lunch counter sit-ins, but the question there was the legality of racial discrimination in privately owned restaurants. The court never ruled on the exact issue, made moot by the Civil Rights Act. But there was never any suggestion that sitting-in somewhere where you had no right to be was legal.
Speaking as someone who wasn't alive during the 60s:
I thought the objective of a sit-in was to gain service (not obstruct it)? My understanding is that people of color were not served when they were very willing to pay for and make use of it.
The objective of sit-ins was to protest, not to buy lunch. If you wanted lunch, you'd go to a place that would serve you and the status quo would be maintained. It's immaterial whether people participating in sit-ins had money or planned to eat.
You might say that the long term objective of sit-ins was to gain service, but only inasmuch as "gaining service" fell under the umbrella of "equal rights".
Finally, as a possibly unwelcome aside, I find it somewhat irritating to see civil rights protestors referred to as "people of color". The Civil Rights Movement was about acknowleging shared humanity, not dividing people into groups based on privilege. Also, Americans, dark-skinned and otherwise, participated in these movements. Many sit-ins involved large groups of white people sitting down with at least one black person, so all of them would be refused service. The Civil Rights Movement of the 60s sought allies regardless of race, which is perhaps why it was so successful.
> The Civil Rights Movement was about acknowleging shared humanity, not dividing people into groups based on privilege. The Civil Rights Movement of the 60s sought allies regardless of race, which is perhaps why it was so successful.
This is rather revisionist.
The term "privilege" in its contemporary usage hadn't been coined then, but if you go back to the writings of early civil rights leaders, it's pretty clear that the purpose was not about "acknowledging shared humanity". It was specifically about liberation of Black people, and the fight to secure equal rights for Black people. It was not uniformly welcoming to "allies" of other races, and in fact, many of its most successful leaders were skeptical at best of support from people who weren't black.
We've since whitewashed the legacy of its most famous leaders, such as Martin Luther King Jr., but even he was a lot less interested in "shared humanity" and non-black "allies". Yes, if you go by popular representation of him today, that's the impression you'll get of him, but as often is the case, the primary sources tell a very different story.
The statement "the Civil Rights Movement sought allies regardless of race, which is perhaps why it was so successful" is only correct if you are referring to the Civil Rights Movement as a retroactive construct: the way that contemporary society has essentially retconned the history of the real civil rights movement. Yes, that depiction of it has been very successful, because that depiction is more palatable and appealing to people who aren't black (specifically: less threatening to white people), and that's why we think of Martin Luther King, Jr. as a milquetoast nonviolent preacher who gave speeches but didn't really step on anyone's toes, instead of the revolutionary, armed radical man that he really was.
Remember though that if the business is unwilling to have you on premises you are trespassing and that is illegal. You can be arrested for sitting in a chair after you are told to leave.
I saw this documentary also, but personally I thought the defense was seriously flawed. A sit in costs the business money by preventing them from making money, but ddos'ing not only cost money because people can't use the site but also costs the company money to deal with the excess traffic. So to me the adequate metaphor is throwing bricks through the window of an establishment you don't like. Would love to here others thoughts?
Having to pay for the extra traffic is similar to having to pay for rent and staffing for that day of the sit in. Its built in costs of operating that have to be paid because their time of running the business was temporarily suspended.
If you have a serious sustained DDoS (40+Gbps as mentioned in the affidavit), most ISPs will first null route you, and then attempt to terminate your contact. I leave it up to you to draw the parallel with the corresponding landlord's actions.
I mostly agree, if the DDoS is just more real visitors. But it's a whole other problem when the attacker is using amplification or a botnet. Then it's more the equivalent of stealing a bunch of people's trucks and then driving them into the store to stop business.
Right I get that in both cases the business can't operate, but if you take an example of a modern web application and a ddos with an ounce of sophistication it can be hard to quickly understand what is happening. So your autoscaling ramped up then you realize something extraordinary is happening. By that time you start trying to stop things at the edge, but some costly damage could have already been done as far as hardware resources or engineering time. Now your spending more money than you would have had to in a normal day of business, and you aren't making money is my point.
The fact you've used computers to magnify the effect of the protest to your detriment is besides the point.
You set up the business, and arranged for automatic scaling ahead of time. This doesn't entitle you to some special protection because you never took into account something like that could happen.
That's the risk inherent to technology. It lets you.scale. Even when you'd rather you didn't.
I won't shed a tear for DDoS services, but I seriously doubt this will have any relevant impact.
These DDoS services exist because we have an Internet full of devices that you can trivially take over by logging into them with admin/admin or other default credentials you can find in public lists. As long as these exist there will be people abusing them.
If you want to do something about DDoS the thing that needs to happen is that the number of trivially vulnerable devices needs to be reduced. That likely means thinking about device security regulations and minimum security requirements, probably also vendor liability.
All seriousness aside, the "domain seizure" actually made me laugh. I guess there was deliberately a bit of humor it. Random hex numbers scattered all around, glassy blue, and a massive red "THIS DOMAIN HAS BEEN SEIZED," feel at least a little tongue-in-cheek.
Hadn't heard them called "stressers" before. Is that for sites that were pretending they were for stress-testing your own site, not DDoSing someone else's? Glad it didn't work out for them.
Yes, that was the general way they marketed their services: “we’ll help you stress test your site, except we don’t verify whether you own the domain we’ll point our traffic to”.
Yes. I used Blitz.io a couple of times; they'd require you to put either a DNS entry in place or upload a file to a specific location in the domain's root.
I was a lead on Blitz. You’re right that there are ways to get around this domain ownership check, but in practice it was enough of a hurdle to avoid bad actors. Also, I’m pretty sure that these stressors were way more cost effective if your only goal is to DDoS a site.
The idea is that the stress testing site dictates where the file must go, not the user. So for them to run the test, they may need to see a specific file at "subjectsite.com/secretguid"
The idea being that unless you have total domain control, you can't get that file where they want you to put it.
You're right. There are plenty of legitimate companies that offer security services whether it's pentesting or DOS attacks. The dark web/malicious providers normally say something like: "this can only be used on machines you have permission to test" while doing absolutely no verification that the services are owned by the purchaser.
They just seized the marketing sites domain names? How is this a victory? If the people running these sites are still able to continue their operations then they'll just get a new domain name and host a new signup page. The only thing they might have lost is some brand recognition.
Sure, some particular DDoS campaigns can be seen as a sit-in protest and personally I'm not personal objective or supportive to these campaigns, but under the current architecture of the Internet and World Wide Web, DDoS cannot be prevented, and as a vulnerability, it not only enables "sit-in protest", but essentially enables a mechanism of censorship, especially after the rise of these "DDoS as a service" vendors, they are effectively a "Censorship on Demand" service. Any self-published speech on a personal webserver now can be kicked out of the Internet by anyone. For example, during the Hong Kong Occupy Central protest in 2014, some news websites experienced a government-sponsored 500 Gbps DDoS attack. The recent example was Krebs On Security blog, which has been a target for blackhat groups and hit by a 1 Tbps attack.
The World Wide Web was supposed to be a (to some extent) permissionless publishing platform, that means if you are already connected to the Internet via a commercial ISP, as long as the content is legal and the law of your jurisdiction protects the freedom of speech, you don't need anyone's particular approval to run a HTTP server. But now under the threats of DDoS attack, no independent webserver can survive, the only solution is utilizing a centralized CDN / reverse-proxy, and accepts EULA of their choice and theoretically they can modify and censor your traffic arbitrarily. I think decentralized systems such as ZeroNet or IPFS may be a solution, and I hope they can be integrated into a web browser one day.
This is exactly how they're marketed - they're not DDoS services, they're "stress testing" services you can use to make sure your server can withstand a real DDoS. Obviously nobody (including the FBI) believes that.
Any idea what percentage of all (at least the biggest ones) were taken down? '15 high-profile [...] websites' could be most of the high-profile ones or just 10%. Sadly, few articles put things into perspective.
It's also worth noting that Civil asset forfeiture is becoming more controversial because of perceived misuse. An extreme example would be simply carrying large quantities of cash with no other indicators of illegal activity have been used in the past to initiate forfeiture.
Pretty sure that guy you are responding to didn't. There are countries other than America out there that also think crime is a bad thing and are happy to cooperate to stop it.
Because the US created and still largely controls the internet, in practice if not in ideology. Also we have the largest military and law enforcement reach on the planet.
The FBI should not apply American rules on a global populatioj. .com and other top level extensions are not us country domain extensions they are global.
The US (and many other governments) claim jurisdiction over crimes committed against their citizens as well as crimes committed by their citizens no matter the physical location.
If you think a country protection its own citizens is "abuse," well, then we'll have to agree to disagree.
> The FBI should not apply American rules on a global populatioj. .com and other top level extensions are not us country domain extensions they are global.
I'm pretty sure they went through ICANN, which would absolutely (and should) support taking down criminals and criminal services from the internet, that they control. There are international laws and treaties. I don't think you'll find too many countries who would agree that it's ok to sell DDoS services. There is no legitimate use for them. Are you suggesting that that position is strictly an American one? I tend to think it's a global one...
You may agree today with how that attack is being used, but history is a good indicator that you'll likely not always agree with what the government does or how it misuses it's power.
Long term I expect decentralized domain name solutions to replace the currently vulnerable ones.
In the absence of any international organization with the power to remove criminal sites, the U.S. government has every obligation to act. Provided, of course, that there is a demonstrated and ongoing crime involved.
This is a good illustration of why the top-level DNS naming structure should have been aligned with legal jurisdictions (basically the two-letter country codes) and not some quasi-global-legally-ambiguous-originally-american global namespace.
Law enforcement does one of two things to "take down" a site:
1. Seize servers via an IP address
2. Seize a domain record itself and redirect it
Both of these "attacks" are not possible with Tor hidden services, because a.) there is no IP associated with the hidden service (although Tor in theory is subject to traffic correlation) and b.) there is no domain record that can be redirected unless you actually have the corresponding private key since Tor hidden service addresses are the public component of that keypair.
Well, the obvious difficulty is in nailing the specific IP address, and thusly the location of the server hosting the content, due to the obfuscation that TOR provides.
It’s essentially the same reason you’re safe browsing it.
The issue, however, is that web sites always need to be hosted on a physical server somewhere, and all it takes is one social media account or email that gives away some aspect of your identity or location for them to find it - assuming you’re doing something illegal of course. There’s nothing inherently illegal with hosting TOR sites. :P
That doesn’t mean that shutdowns don’t happen, though. The FBI recently shut down a number of TOR sites with illegal content.
> The takedown stems from an investigation that started no later than last August and culminated in a court order issued Wednesday directing domain registrar Verisign to turn over control of ToKnowAll.com.
I also have to wonder if any of the DDOS services used by Verizon, MPAA, and other US corporations to attack IP violators (or in Verizon's case, their own comment pages) are affected. It's illegal, but somehow it never seems to be prosecuted or stopped when it's being done by the right people.
The US is such a weird country. They probably have the best free speech protection in the world, for which I admire them, but then they do this kind of stuff. They sometimes are an example in freedom and sometimes they're the complete opposite.
Maybe we "do this kind of stuff" specifically _because_ we value free speech. DDoS perpetrators restrict the online speech of their victims. There is nothing inconsistent about America's First Amendment protections and the FBI's actions here.
