Guest post by For a number of days the websites of MasterCard, Visa, PayPal and others wre attacked by a group of WikiLeaks supporters (‘hacktivists’). Although the group calls itself ‘Anonymous’, researchers at the DACS group of the University of Twente (UT), the Netherlands, discovered that these hacktivists are easily traceable, and therefore anything but anonymous.
That is what happens when kids try to do DOS without having the proper knowledge how network programming works.
The rule number one when you mess up with this type of activities is to never use your computer and home network.
But this kids think that real computer life is like the movies…
Captain Obvious to the rescue. If people get arrested, they deserve it. Not for taking part, but for being stupid.
Yup.
The attacks themselves were a form of well-justified modern protests, but getting caught – well, that’s your own fault.
A DOS attack depends on thousands of computers being a part of the attack right?
Arresting, prosecuting and imprisoning that many people (if they refuse to pay the fine) is going to be very expensive!
I’m sure that the MPAA and the RIAA, have already thought about the problematics linked to arresting and prosecuting people in bulk. Similar practices have also been used all along the 20th century by countries such as Russia, Germany, and the United States.
They could certainly all provide some advice.
Edited 2010-12-13 07:23 UTC
Obviously this strategy would only work in everyone decided together to do this. The MPAA/RIAA strategy only works through divide & conquer.
Of course a united front by all of them is highly unlikely.
Well, at the time they managed to unite a lot of people by invoking some vague and universal cause. The fight for freedom, the improvement of the human race, things like that.
Couldn’t similar arguments be invoked now ? Like, I don’t now, the security of anyone facing these “terrorist attacks” ? The good old “think of the children” ?
Edited 2010-12-13 10:30 UTC
Isn’t part of the point of protests that they are not anonymous. If thousands of people got together and broke the law and challenged the authorities to arrest them, it would have a lot more effect.
Would be a lot riskier, and actually require some bravery, but would be much much more effective.
Edited 2010-12-13 07:53 UTC
Well, kids behind a computer in their bedrooms aren’t quite as courageous as civil rights marchers led by the likes of MLK or India independence marchers lead by the likes of Gandhi. Nor is their cause anywhere near as nobel, as far as I’m concerned. I recall MLK said during one of his marches that his goal was to “fill up all the jails”. Today’s DDoS attackers aren’t made of as stern stuff, I’m afraid.
Well that’s kinda the point I’m making too.
This isn’t a bunch of people fighting for what they believe. This is just a bunch of people who are having fun causing some problems for the big corps.
Up to the point when police officers will knock at the family door and have the parents opening them. The evening explication will be long, very very long… And remeber what have been done by the RIAA for some movies downloaded, the faulty was proposed a 2500 $ agreement to remove the complain, or take a lawer and face a court. Guess that’s what’ll happens :/
Kochise
Taking down sites for refusing Assange’s business is well justified? How?
If I had a money-making site, I woudln’t want his business either, and I shouldn’t have my site taken down, thus inconveniencing me and my customers because someone thinks I should do business with Assange or anyone else.
Let’s say that you banned me from this site (which is your right), and I responded with DDoS attacks on osnews.com. Would my attacks be “well justified”? Well, this is the same thing. Assange has been, in a sense, “banned” from PayPal, Amazon, VISA, Mastercard, and they shouldn’t be DDoS attacked for it. They’re within their rights to refuse Assange’s business. (I agree that PayPal shouldn’t have frozen the funds in his account, but they released those funds, and that’s all the further obligation they have to Assange.)
Edited 2010-12-13 08:59 UTC
I think we’re seeing a difference of perspective here. I think you’re American, and therefore, have a different view upon companies and corporations.
To me, not all companies and corporations are created equal. There are certain types of them that serve the public in ways more important than, I don’t know, toothpaste or car tyre makers. Any company that deals with money – banks, insurance companies, retirement funds – should be held to different standards, because the function they have to society is vastly more important and potentially disruptive than toothpaste makers’ or car tyre makers’.
Consequently, they can’t just ban people or companies without a court order. Members of the the Dutch Lower House are actually questioning the Dutch government about this, to ensure that Dutch financial institutions – which are all monitored by the state, and consequently, didn’t fail as bad as uncontrolled US banks did – can’t just ban people or freeze accounts at will.
And that’s a good thing. Banks that operate willy-nilly create uncertainty in the marketplace, and especially organisations that act controversially – not illegally – might be too afraid to operate, hindering their development. And, as we all know, controversial organisations are needed to move us forward (e.g. without controversial organisations, we Dutch would not be the first country to have abolished apartheid, i.e., gay people having less rights). If financial institutions are allowed to ban people and organisations merely because their opinions might be unpopular, they will start playing a role in the democratic process, and we mustn’t want that. Financial institutions carry a lot more responsibility than most other companies, and as such, should not be allowed to operate without some form of state oversight.
In the US, it leads to the absolutely retarded situation of WikiLeaks being banned from financial institutions, while at the same time, these institutions have no problems carrying the funds of organisations like the KKK. The only reason these institutions are now banning WikiLeaks is because they are afraid of possible bad press. That’s exactly the kind of willy-nilly behaviour financial institutions should not be allowed to display.
Problem is KKK are not the ones making major news right now. If they did, I’d guess PayPal would get pressured to act. I think PayPal tend to act on a “serve everyone until someone complains loud enough” strategy. Which is how most businesses work. Basically damage control. If you bring up your KKK point loudly (gets media attention) enough, they’ll probably act. I would support you if you did.
Also, I don’t think I agree with your other points. Why shouldn’t PayPal be allowed to stop doing business with the KKK for example, if they start getting bad press over it? Sure the KKK would have to find another financial institution to work with, but I don’t see why PayPal should be compeled to work with them.
(spelling)
Edited 2010-12-13 17:41 UTC
You’re right, I do have a different perspective. In fact I disagree with your entire post. Business should be able to pick and choose with whom they will do business as long as that picking and choosing is not based on race/ethnicity, gender, religion, sexual orientation, disability. (Libertarians wouldn’t even have legal protections against those kinds of class discrimination, and maybe in an ideal world they’d be right, but they ignore the history of discrimination and are not realistic about human behavior.)
Compelling banks to give loans or compelling Amazon to store data or compelling PayPal to conduct money transfers to any and everyone? No. And I question if even the EC would go along with that.
Regarding your “American vs European difference of perspective” there’s not such a big difference. Your point would apply in the US for “public utilities” (like the local electric company). There are special rules for public utilities regarding whom they must serve, mainly because they normally have government issued monopoly grants (for example, a city awards a single electric company (or the city itself) the grant to serve a city, without competition, because competition wouldn’t be feasible due to limitations on the infrastructure space). So if an electric company decided to shut off electricity to Wikileaks, then that company might be in violation of a regulation, since electricity is deemed “vital” to modern living (though one could buy an electric generator or whatever). But Amazon and PayPal and credit card companies wouldn’t come under such rules, as they are not regarded as public utilities (nor do they have government granted monopoly).
There is a parliamentary committee in Iceland which apparently disagrees with you.
http://www.digitaljournal.com/article/301340
They did not, don’t twist truth! All they wanted to hear reasons, they got it and responded by doing nothing. So what Visa and MasterCard did was legal, the end.
I was going to reply to Thom along the same vein, but only to say that while the protest is non-violent, it’s hardly in keeping with a nobler civil disobedience.
It’s a group of frustrated individuals secretly attacking a company, making that company a victim of abuse.
I disagree with Thom’s form of what a “well-justified modern protest”. I guess the “modern” means malicious intent.
I’m inclined to agree. As much as I disagree with most of the actions taken in opposition to Wikileaks, I do also believe that DDoS attacks cross the line. “Mob justice” is something to be wary of in general, and even more so when said mob largely composed of the denizens of 4chan and EncyclopediaDramatica.
It also doesn’t appear that people participating in the various DDoS attacks have considered the possible fallout/collateral damage (that, or they just don’t care). E.g. I’m certainly not PayPal’s biggest fan, but I do know that a huge number of charitable organizations use them for taking online donations (something that a successful DDoS attack would disrupt – especially at this time of year).
I’m sure someone else has beaten me to this observation (but if not, I’ll happily take credit for coining it): mob justice only seems like a good idea until the mob picks a target that you don’t think deserves it, and there’s no way to guarantee that the mob will pick a deserving target (look at the misdirected backlash that EasyDNS has received).
Why is’nt doss attacks against Paypal et al a good idea.
Under the Patriot act and other laws the US government has wide ranging laws to shut down companies that it sees is collaborating in things its perceive as illegal. Even if we don’t like it.
Under these acts. the USA can also sanction banks as well and rescind their licenses to do business in the US.
If paypal and others get’s paralysed by the US government thousands of people loose their jobs. Shareholders (many of them old people through unit trust) loose their money.
These companies really are between a rock an a hard place.
Romantising this as sort of justified moral protest is really throwing fuel onto fire and helping ignorant kids get into trouble.
Woah there, Mr Police State. It’s good that you have faith in the justice system, but you might want to think that one through.
How can they prove it was the users of those computers and not someone who hacked into those machines and did the business without leaving any trace of their presence?
Probably as simple as concluding that it’s not even necessary to hack a machine when people are taking part on their own.
Because they will/did confess
Because there are limits to what a court will plausibly accept under “innocent until proven guilty”. If the police can clearly demonstrate that an attack was carried out from your computer, you’re going to going to have to *prove* someone hacked your machine if you want anyone to accept that excuse. And that’s going to be a challenge if you’ve taken all the reasonable precautions to keep your machine secure.
What if you live in a household of five? Or a dorm? Or whatever?
There are lots of specialists who take care of exactly those cases, i think.
It’s probably a home computer after all. The average user doesn’t destroy and burn his harddrive after launching such a program, i guess.
In this case something like Eraser would be enough I guess. But even if I had a copy of it, who says I have been at the computer at a given time and that there hasn’t been an intruder.
Always have been wondering about such things, but I guess these question didn’t arise and AFAIK they bragged about it.
In this case something like Eraser would be enough I guess. But even if I had a copy of it, who says I have been at the computer at a given time and that there hasn’t been an intruder.
You can make that argument in your defense. But no one on the jury is obliged to believe you.
Yeah, but all of this is ridiculous anyways. I mean it’s like “You could have a whatever>, I don’t believe you didn’t use it for <whatever>”.
Like “You have hands, why shouldn’t you have killed your friend/wife/enemy”. And yes, I believe in the stupidity of the jury. They are the same people as the ones watching talk shows, clicking spam mails, believe in ghosts, etc.
But that’s nothing new, right?
Why should one care?
A drunk driver can cause year death every day.
A (drunk) jury can do something similar.
Then you’re going to be *really* unpopular in your dorm for calling down the wrath of the authorities and casting suspicion on everyone.
You know what? They even had a FAQ on their website covering this topic. It also said something like “Don’t use Tor, VPNs are fine though”. The reason there have been so many people is that that the FAQ also stated that there haven’t been any arrests yet.
Sorry for the sarcasm, but I just had to mention it.
Still I don’t get why people are doing this. It creates a connection between evil crackers and WikiLeaks and therefor creates harm.
An other thing I don’t understand is Paypals reaction. While I think it’s good they are returning the money I thought they would be able to defend against it. Especially because I thought they’d have the knowledge and enough money for countermeasures (there are various ways, even hardware solutions). Especially because I always believed they’d have to face attacks of small or medium sized bot nets anyway, which should have bigger size.
Oh, on television I just saw a discussion about it. An (Austrian) politician as well as some other people called it a new form of protest on the internet, a form they don’t really consider illegal. However, since it was a politician of the opposition I wouldn’t rely on it
There was a “hacker” (19-year old guy who “hacked” his teachers website and now does security consulting) also commuting to the discussion, who seemed to be the only one who didn’t consider DOSing Paypal & Co. as very legal. Well, there also has been an ex-US-ambassador who disliked WikiLeaks and everything related to it. Everyone else, even the people they invited to say something against WikiLeaks turned out to actually like what they are doing.
Never thought Austrian people that get invited to a discussion on public television would be liberal enough to say things like this. Looks like I have been wrong.
There were multiple botnets involved of varying sizes.
Might be an interesting case for some lawyer. Obviously owning an army of botnets is illegal, but running a program from your own PC or, persuading people to download and run a program that makes requests to a website? I’m making requests to Osnews now, its not illegal, if the individual program makes insufficient requests to crash the site and the effect is only cumulative, where’s the crime for the individual?
Perhaps you could argue intension, the intension is not to read the the site but an other purpose but pinging a site is not illegal etc. The intension is to stop other users accessing the site, then this is like picketing, which is a legitimate form of protest as long as it is peaceful – well there’s no violence here.
Edited 2010-12-13 05:07 UTC
It’s not like picketing, for those that want to do business with those being picketed are free to cross the picket line, and it’s illegal to stop them. Executing DDoS attacks to bring down sites intends to make it impossible to “cross the picket line”.
Picket lines are a form of free speech, and therefore have special protection (at least in the US), but are also regulated by laws specifying what kind of conduct picket lines are allowed to engage in. For example, you have to allow people to cross the line, you can’t be within N feet of the doors, etc.
DDoS attacks, on the other hand, are not free speech, and are illegal, period (as far as I know :p ).
Edited 2010-12-13 08:51 UTC
Playing Devil’s Advocate here. I’m not so sure about how I feel about it, just wanted to raise a question.
Would it be legal to protest by making a huge line to, say, lots of McDonald’s, and ask them to give you something they don’t have in the menu? You’re not exactly making it so that anyone else is forced out of it, it’s just that you’re going there and placing your (bogus) order.
They can, of course, refuse to serve you and ask you to get off the line for the next person to be served.
That is one of the possible interpretations I see for a “DDoS” attack. Although I don’t really believe they should be “legal”, it seems to be a plausible interpretation.
What do you guys say?
To use your analogy, it’s like a McDonalds is having a normal serving day, say 4 cashiers and 10 customers, line is moving swiftly.
A DOS attack here would be if people bussed in 50 people, they were told “go ask for a bogus item” and when turned away, go back to the front of the line and ask for a different bogus item.
The McDonalds manager, not knowing how to handle the influx of traffic, closes the store.
There’s a finite amount of resources that the server is offering. A DOS attack overloads the server resources, and turns away other legitimate users as the penalty.
After reading TFA I don’t think it adds any information to what was already known about the used DDoS tool.
What is more important is that laws will get updated to include this kind of crime.
Sure, I can understand that you might want to make a point (and considering the kind of kids involved in these attacks of course the only viable way is cyber vandalism), but does that justify the economic damage done by this kind of attacks? As far as I’m concerned they can do a demo on the ‘Museumplein’ and anything like the DDoS attacks should be cracked down on by law enforcement.
… has the dutch police to torture a 16yr old kid?
The boy has been arrested 4 days ago (12/09/2010)
http://www.telegraaf.nl/binnenland/8457669/__Tiener_opgepakt_na_Wik…
Well, even if this very article — in Tom’s most _____ newspaper — states he admitted attacks, I yet have to hear anything about facts, about proofs. The dutch police just emits assumptions, seeds FUD. Or just nonsense like “we found computers in his room.”. Hey, they also will find computers and even — these more evil — USB sticks in my room, even in my office. So, how should this “fact” be interpreted?
BTW, they decided to keep him another 13 days in prison. Maybe they hope this kid tells them how to trace the DDOS attackers.
pica
Since I had to wait on a co-worker, I read some dutch newspapers.
In short:
Scholars in Den Haag (Zuid Holland) collect money for the 16yr old scholar which has been arrested.
School principals state it is a nightmare and that most scholars actually state, regarding that police action, they mistrust the police.
pica
If the public have a right to congregate in peaceful protest; what is the digital equivalent? Is it not everybody being on the same website, at the same time? Would the website not cease to work in the same way a road becomes inaccessible during a protest march?
So digital protesting is illegal, but protesting in the real world is not? I wonder how that situation came about.
A public protest is about getting your message out. A DDoS attack is about preventing someone else from getting their message out.
DDoS attacks are the opposite of free speech, whether it is Wikileaks or Mastercard getting attacked.
Bingo. Peaceful protests are fine, but you’re not given free license to break the law and damage other people’s property. You want to do something useful, demand equal enforcement one the people DDoSing Wikileaks.
As for the 4chan kiddies, they should be damn glad the government hasn’t broken out the word “cyber-terrorism” yet.
IMVHO the osnews perspective should be here quite short:
1) LOIC is written in .NET
2) LOIC is mostly run under Windows XP SP2+ (vista/7)
3) #1 and #2 mean LOIC is unable to do packet crafting, it cannot spoof the Source IP address
4) Can’t be anynonymous!
5) You would have to spoof Source IP in, say, Linux whose API supports these things
6) And even then you wouldn’t be that anonymous as the ISPs could see which network ports were highly utilized and if they keep track and see lots of random/spoofed IPs then you’d be suspect.
http://xkcd.com/834/