I'm not necessarily against feds going after DDOSers, but this is a shameful, politically motivated retribution.
The "crime" here is not sending packets to DDOS PayPal but criticizing the goverment. The goverment is in turn showing they're not afraid to destroy lives of those who do.
DDOS attacks are pretty much an epidemic on the internet. I'm pretty sure every major company like Google or Microsoft or Amazon has to deal them on a regular basis (http://mashable.com/2009/12/24/ddos-attack-amazon/ for just one example of an attack that was actually successful and well publicized).
Huge botnets make it relatively easy to launch an attack.
This is not some new fact - existence of bots, DDOS attacks on many hosts, that's been known for years and yet this is one of the few times where feds lifted a finger to combat it and certainly the first time where it's done on such a scale and based on such a flimsy evidence and small transgressions like an individual running a DDOS tool (which, by itself, is not nearly enough to bring a website down, it only works if many people are doing it at the same time).
This is not a coincidence and not really that surprising - you fight the goverment, the goverment will fight you.
That could be one explanation. However, it's also true that this series of attacks has been some of the highest profile attacks ever publicized. Even if the government wasn't attacked, they'd probably have to do something to appease the general public. "We're doing nothing" probably wouldn't fly.
After reading the article, it appears as though Anon were lured into the attack by PayPal. Then it sounds like the Feds already had all their stuff in place to collect the data while the attacks were happening.
> Then it sounds like the Feds already had all their
> stuff in place to collect the data while the attacks
> were happening.
[citation needed]
My read says that PayPal had some sort of network monitoring system in place which allowed them to capture data during the attack. They then handed this information over to the Feds.
The newly released affidavit was offered in support of a search warrant for the home of an Arlington, Texas couple and their son, who were among the July 19 targets, and have not been charged. The house was the source of 3,678 packets in about two-and-a-half hours starting December 8.
So they're going to arrest a kid for sending an average on one packet every two seconds, over the period of two-and-a-half hours?
But he didn't buy anything! This is like walking into a book store, looking around at books, reading a bit, and leaving the store without making a purchase. Clearly a federal crime.
One person taking a book means others can not see the same book. Acceptable DoS because the owner thinks you may purchase it.
One person taking several books means others can not see the same books. Questionable DoS because the owner thinks you're screwing around.
Many people doing taking several books out in the store leaves the owner to suspect a DDoS attack because there's not usually that many people and none seem to want to buy. It's especially malicious if there's intent.
Ugly thing about DDoS is that since there's unexceptionally large amount of people and no books to check out, loyal and new customers will be put off and may not return causing future loss.
Considering that most DDOS attacks come from zombie bots installed on programs when people Torrent, I'm suprised that there were arrest made based on IPs
Did you read the article? Paypal provided evidence that the DDoS was coming from LOIC, a manually-operated non-botnet tool. Also, it sounds like Paypal's evidence was only used to get search warrants, and evidence found in those searches (like LIOC) would then be used to justify arrests.
The issue is not how to translate it but whether an IP address identifies a person beyond reasonable doubt, especially given Anonymous's ability to defeat FBI/CIA and other military grade networks including those the FBI/CIA employ to protect them.
It really raises question as to whether you can trust something as flimsy as an IP header given the technical sophistication of Anonymous. These people could well be innocent and in fact victims of anonymous directing attention away from itself and towards these innocent victims. When Anonymous can gain control of HB Gary and FBI/CIA assets imagine what they could do to an off the shelf system that hasn't been through the rigorous security protocols that HB Gary, the FBI and CIA follow.
Given the mutability of data on a USB stick I'd also be very interested to see the chain of custody on that data and how it might have been modified. Also, the defense should request access to the source code for the IDS system in question so that it can be examined for bugs and problems that may affect its ability to generate reliable evidence.
These people could well be innocent and in fact victims of anonymous directing attention away from itself and towards these innocent victims.
This is wishful thinking, but there is a sense in which it is true. People running LOIC are typically if not exclusively clueless mooks duped into doing so by people who know better.
For all the mythos around Anonymous "having no leaders", I doubt very strongly that you'll find many examples of people who spontaneously downloaded LOIC and started flinging packets at PayPal. Instead what you'll find is people who say they got the idea from an image posted on 4chan (or elsewhere) or from "some guy" on IRC.
All you have to do is convince someone to willingly join a botnet (or anything else) is that 1) this is a way to relieve their angst and 2) other people are doing it. The affidavit even includes examples of the kind of image instructions that accomplish exactly this. The "orders" spread as would memes, and the originators of those orders put themselves at almost no risk to distribute them, while "innocent" members of the herd get caught.
When Anonymous can gain control of HB Gary and FBI/CIA assets
Indeed: "When..." But AFAICR, Anonymous didn't gain control of either FBI or CIA assets. Hacking a self-described FBI "affiliate" and DDOSing cia.gov are hardly the same thing.
Also, holding up HB Gary Federal as an example of an organisation with "rigorous security protocols" is an amusing claim with no real evidence.
Maybe, I'm not so sure though. If you participate in a mob that went down to some local business to throw rocks through their window, should you expect to be let off easy because you just threw a pebble?
On balance I think the idea that DDoS is "ok" and should be tolerated is not a good road to travel down.
Sit ins are not legal either, you can be arrested for trespassing on someone's property if you've been told to leave. The purpose of a sit in is to draw attention to an issue through non-violent means, and it's accepted that there may be consequences to that (including jail time) but the cause justifies the risk.
Regardless, it's questionable whether a DDoS and a sit-in are comparable. For one, DDoS does not require the presence of the individual, this makes it more difficult to form a connection with their cause and the activity. For another, a sit-in doesn't typically totally shut down a business, let alone at a national scale. With a DDoS a very tiny minority of people are able to disrupt the business activities of millions. This is not the sort of thing that we want to become accepted a legitimate form of protest. You may think it's all well and good when people who are "fighting" for causes you believe in are "sticking it to the man" but if it becomes the norm then everyone with a grudge will use it. And then it won't be the "good guys" wielding the power it'll be the people most fanatical in its use who will get what they want.
If you want to find a form of protest that mimics a sit-in, fine, go ahead, by find something other than DDoS, because that isn't it.
Reading compression. I am not suggesting that sit ins are legal. I am asking if participating in one is enough for the police to get a warrant to thrash your house.
Furthermore, sit ins are by definition denial of service attacks. Assertions about differences of scale are 1) irrelevant, 2) questionable (most DDoS fail miserably).
This has nothing at all to do with my approval or disapproval of the politics.
Here the analogy breaks down. Sit ins are nominally illegal. DDoS is also a crime. And whereas a sit-in doesn't involve any special equipment and happens outside someone's home the equipment and the act itself of a DDoS happens in the home, so using strong probable cause to obtain a warrant and collect evidence is perfectly legitimate I think.
As far as sit-ins vs. DDoS, it's patently ridiculous to say that scale is irrelevant. If I steal a single penny that is a much different crime than if I were to steal a penny from everyone in America. And if I stage a sit-in at a place of business and deny one or a handful of customers the opportunity to do business that's incomparable to if I deny a thousand or a million people.
One of the core reasons why sit-ins are a respected form of civil disobedience is because it preserves an important aspect of scale. One person one seat. The more popular a cause is and the more people are dedicated to fighting for it the more effective the sit-in can be. But unpopular causes will find it tough to use a sit-in to advance their agenda. The public will ignore their cause and turn a deaf ear to their arrests. And no one will take their place at the sit-in once they're gone. That sense of scale is important. In contrast, a DoS becomes very much more akin to a bomb threat or breaking windows. Because a far smaller and less popular group can effectively disrupt the business activities of a very large number of people. That is not in any way a good thing.
I like your breakdown of the DDoS vs the sit-in. The requirement of many people vs a few does make an important distinction when considering the effectiveness as a form of protest.
But I think the analogy to a bomb threat or breaking windows is a bad one, primarily because it's likely to be misunderstood. I'll agree that those are more similar in the sense of scale, but that's about the only similarity. Bombs and stones damage both property and individual human lives in ways that are likely to be traumatic and irrevocable. A DDoS is peaceful, causing only a temporary financial effect on a business.
If he had gone to say the paypal homepage and diddled around all day then he would have had the same impact as a sit-in. Instead he simulated the traffic of thousands of people. That's not comparable to a sit-in.
Bullshit. The entire idea behind a sit in is a number of people consuming disproportionate resources of an establishment. You don't participate in a sit in by using the amount of resources that a single person might normally reasonably use.
I suggest you read this article, since I am beginning to suspect you are operating under a very very distorted definition of the term: http://en.wikipedia.org/wiki/Sit-in
the point isn't the amount, the point is participation. Such a low intensive, no damage, DoS is akin to a peaceful protest in front of the company store, only virtual.
Any real protest in front of a real store is in turn also kind of DoS - thinking about that i wonder whether real protests can be more successfully prosecuted on such a grounds, especially that stretching DoS to an "act of domestic terrorism" is very acceptable today.
> So they're going to arrest a kid for sending an average on one packet every two seconds, over the period of two-and-a-half hours?
As a general principle, if it is illegal for one person to perpetrate an act against a victim, I don't see how it should not be illegal for a large group of people to perpetrate the same act, even though the individual contribution of each member of the large group might be small enough that if he were alone it would not rise to the level of a crime.
To do it any other way would open up a hell of a big loophole, it seems to me.
It's an interesting question, though. If 1000 people tell one person that they don't like them, and the person commits suicide, then it's reasonable to claim that the group drove them to do it. However, do you prosecute an individual who merely tells someone, "I don't like you?" On an individual basis, it's a weak case. I'm not sure how the law deals with this, or even if there exists any legal principles dealing with how to prosecute actions that are, by themselves, harmless and not illegal (running LOIC may signal an intent to block access, but in the same way that gunning a Pinto on the highway may signal an intent to speed, you're unlikely to be able to break the law).
If the 1000 people did it in coordinated manner with the intent of causing harm to the one person then it would seem like a crime to me. Of course, it's the leaders who should get the severe punishments, but you still have to punish the others too (to a lesser extent). Otherwise you're just saying that it's acceptable to help people commit a crime.
And why are people complaining about the FBI going after people anyway? It's their job to catch (probable) criminals, so they can't really start deciding which ones to pursue. It's the judges and jurys (and lawmakers) who make that decision.
The newly released affidavit was offered in support of a search warrant for the home of an Arlington, Texas couple and their son, who were among the July 19 targets, and have not been charged. The house was the source of 3,678 packets in about two-and-a-half hours starting December 8.
Man, they executed a federal raid with FBI agents over something that amounted to a few thousand "slowlaris"ed GET requests over a few hours?
How much does something like that cost? What, 2-4 agents, 4-8 hours, seizure, paperwork, court filings, etc. Tens of thousands of dollars, right?
Here's the thing with Civil Disobedience: you take a certain amount of risk when you do it. In fact, if there is no risk, there's little point in the "disobedient" action at all. So when these guys go to jail for DoSing a server, they've actually partially succeeded. Now when a majority of the populace cares that they've been punished for their actions, and believes the disobedience was a just action against an invalid law, then they'll have actually succeeded.
Put another way (and translated into meatspace), environmental protesters don't win when they chain themselves to a tree to stop it from being cut down. They win when they are confronted by the authorities, hauled off to jail, and covered by the media, making people aware of their protest. Simply blocking access to the site and hoping there will be no repercussions is basically pointless.
Simply blocking access to the site and hoping there will be no repercussions is basically pointless.
Not necessarily. Some civil disobedience is symbolic, as you describe, some is direct action. Some acts of civil disobedience have succeeded even though there have been media blackouts, mostly because the cost of continually arresting protestors who refuse to back down exceeds the downsides to negotiation.
Maybe LOIC is it? If one part of civil disobedience is sending the state a stream of low-level "law-breakers", it's relatively successful, because now the government is wasting time and resources arresting people who sent 5 megabytes of packets somewhere.
This would be civil disobedience if they turned themselves in after committing what is considered a crime, to point out the unjustness of the law that makes it a crime.
I didn't see Anonymous turn themselves in, did you?
This would be civil disobedience if they turned themselves in
That's not, actually, a requirement of civil disobedience, and never has been, historically. For instance, millions broke the salt laws of India, but only 80,000 were arrested, and I can guarantee that the remainder did not voluntarily turn themselves in.
So I would assume they are going to be getting the most clueless kids here that probably caused minimal harm. I assume the real organisers of this kind of action wouldn't be DDOS'ing PayPal with easily identifiable packets from their home IP addresses.
How exactly does one take an IP number and point a finger to the person who caused that transmission? If a computer can be hijacked by an undetectable virus from a Sony cd, can we really say for sure who caused any transmission from a PC? What if you framed your neighbors unsecured wifi? Or target someone's home? It's like a modern day witch hunt!
I'm more bothered by the idea that the architecture of the Internet would be turned into a "get out of jail free" card. Unless your attacker is completely incompetent, the only evidence you'll have is an IP address; if you can't use that then you have nothing.
I hate to parrot quotes as an argument, but I feel like this one is appropriate here: "Better that ten guilty persons escape than that one innocent suffer" - William Blackstone (various others have said it over the years with "ten" replaced by some other value, usually even higher than ten)
Given that having your computers and data seized is already punishment for a lot of people, possibly significant and life-altering punishment, I think courts should be damned careful about allowing police to take that action. I've known people who's businesses have been destroyed by computer seizure. And I've known people who have only gotten their computers back years later (which effectively is the same as "never", because computers have a relatively short shelf life), despite no charges ever being brought against them. My business probably wouldn't currently be destroyed by the loss of all of my personal computers, but it would certainly be a very serious hardship, far beyond what I feel would be just punishment without a trial. And, seizure of all of my servers (including the ones where the backups are stored) probably would very nearly destroy my business and cost me tens or hundreds of thousands of dollars in lost sales and data.
A search is one thing, effective theft of my means of putting food on my table is something altogether different, and I think police ought to have to have a pretty damned good reason for taking away my livelihood for an indeterminate period of time.
Err, you do understand how warrants work, right? You don't get one by proving someone is guilty, but by showing there is probable cause.
>The standard for a search warrant is lower than the quantum of proof required for a later conviction. The rationale is that the evidence that can be collected without a search warrant may not be sufficient to convict, but may be sufficient to suggest that enough evidence to convict could be found using the warrant.
And issuing a warrant based on an IP address is roughly akin to issuing a warrant to search a random person on a bus, because someone who may have committed a crime is known to be on the bus.
I'm simply uncomfortable with the level of the bar on probable cause with regard to IP addresses, given how little information an IP address actually provides, even when government has cooperation of the ISP to identify users of that IP during the actions in question.
I'm also uncomfortable with the history of how computer seizures have been handled, and how little respect is shown in such cases. Given that seizing computers is not the same as searching a home; once a search of your home is over, it's over. With alleged computer crimes someone's business could be destroyed by the time the computers and data are returned. And, historically, it has occasionally required a lawsuit to get the computers and data returned (and the data may have been tampered with or destroyed).
I'm comfortable with using IP addresses to issue warrants -- I don't think it's a stretch to say that a reasonable percentage of the time it'll turn out to be accurate.
The way computer seizures are handled is fucked up, though, totally with you on that.
On the one side, they offer quality articles and have quality resources. They seem to favor the hackers.
On the other side, this article was written by Kevin Poulsen, who had a part in turning over a whistleblower and journalist source to the authorities. Kevin Poulson has made himself too related to anonymous and WikiLeaks to be regarded as objective on these matters.
I know that isn't reason to judge any article of his, but the extra care I'm forced to take when Poulson is involved (consider his sources, morals and agenda), leaves me with a sour taste in my mouth and an inability to enjoy reading this article.
Would be interesting to see them putting the same resources in getting to the bottom of who was DDoSing Wikileaks at the same time. But I have a feeling they never will.
I do not think the FEDs main target was these arrests..
Why?
The FEDs targets would be the financial, administration of the botnets used in the DDOs attacks..
The arrests are to put pressure on the alleged criminals to turn in the others..
The FEDs are after who is controlling the botnets in the DDOS attacks in the long term..
And you will not see the arrests of those for awhile as far as what appears in the press a the FBI can lock that down for 90 days as far as anybody knowing that you are being investigated..
I see a lot of anger directed at the FBI. Remember that ‘Anonymous’ gave these tools to children and encouraged them to use them knowing exactly what the consequences for the kids would be.
The "crime" here is not sending packets to DDOS PayPal but criticizing the goverment. The goverment is in turn showing they're not afraid to destroy lives of those who do.
DDOS attacks are pretty much an epidemic on the internet. I'm pretty sure every major company like Google or Microsoft or Amazon has to deal them on a regular basis (http://mashable.com/2009/12/24/ddos-attack-amazon/ for just one example of an attack that was actually successful and well publicized).
Huge botnets make it relatively easy to launch an attack.
This is not some new fact - existence of bots, DDOS attacks on many hosts, that's been known for years and yet this is one of the few times where feds lifted a finger to combat it and certainly the first time where it's done on such a scale and based on such a flimsy evidence and small transgressions like an individual running a DDOS tool (which, by itself, is not nearly enough to bring a website down, it only works if many people are doing it at the same time).
This is not a coincidence and not really that surprising - you fight the goverment, the goverment will fight you.