Sunday, May 1, 2011

Denial of Service Attacks Are Illegal

The statements below are my own, and do not represent official positions of MPICT, CCSF, or any of my other employers.

A video was posted to YouTube putting forth an argument that the Jester's Denial of Service attacks are legal, and that I am guilty of libel for calling him a criminal. I contacted a friendly lawyer, who wrote the analysis below. My conclusion is that the Jester's actions are illegal, and that it is not a crime for me to say so.

It is important to be clear about this: denial-of-service attacks are a serious crime, and I do not want anyone to be deceived by the cruel lies of those who manipulate others into taking risks. Until recently, I regarded the Jester as less of a threat to the well-being of my students than the "Anonymous" criminal mob, but I see the Jester gathering a group of supporters, and even accepting donations. Others may well be inspired to imitate his deeds, which would be a serious legal and moral error. America is not strengthened by silencing unpopular statements with denial of service. To make us strong, allow your opponents to speak, and then explain your own position clearly.

Knowledge of computer security is a powerful and dangerous thing. I want my students to understand attacks and defenses, and to abstain from criminal acts. We must be as wise as serpents, and as innocent as doves.


The Jester's (I hate leetspeek) actions could be construed as violating
the Computer Fraud and Abuse Act, 18 USC 1030.

I will make the following assumptions for this analysis:
1. The Jester has DOS'ed the websites of WBC, Wikileaks and unnamed
jihadist orgs, using the Internet to perform the attack.
2. The Jester did not have permission to do (1) above.

Is the Jester a criminal?

DOS'ing a website without permission is a violation of 18 USC
1030(a)(5)(A) which reads as follows:

"knowingly causes the transmission of a program, information, code, or
command, and as a result of such conduct, intentionally causes damage
without authorization, to a protected computer"

The Jester intended to make these websites unavailable by a DOS attack.
I would think that launching such an attack would fit within 'program,
information, code or command'.

Your 'fellow' claims that taking a website offline without changing the
content is not 'damage'. This is a narrower definition than the one in
the statute. Looking to 18 USC 1030(e)(8), damage is defined as:

"... any impairment to the integrity or availability of data, a program,
a system, or information". This is further defined in U.S. v Mitra 405
F.3d 492 (7th Cir, 2005) which held that interfering with a municipal
radio system was sufficient.

Finally, are these websites hosted on 'protected computers'? Looking to
18 USC 1030(e)(2)(B)

(2) the term “protected computer” means a computer—
(B) which is used in or affecting interstate or foreign commerce or
communication, including a computer located outside the United States
that is used in a manner that affects interstate or foreign commerce or
communication of the United States;

A publicly accessible webserver is clearly engaged in interstate or
foreign communication- after all, that's the whole point, right?

The $5,000 requirement is for attempts to use the system to defraud
under (a)(4).  I'd have to say that the Jester wasn't attempting to
defraud anybody- his intent was to knock these sites offline without
obtaining anything of value.

Even though the Jester hasn't been convicted of a crime, his actions do
violate Federal law.

To our second point-

Nobody's pressed charges, so the Jester's not a criminal. First off,
victims don't press charges. Victims complain. Prosecutors press
charges. Just a little criminal procedure.

Ok. Merely because the victim doesn't complain doesn't mean a crime
hasn't happened. Neither my coke dealer nor I complain about the crime
of drug possession and distribution, right?

Now this does raise an interesting issue. Lots of crimes, especially
technology related crimes not involving child porn are like punching a
clown- nobody cares so getting the police involved isn't going to happen
unless you've got a big or powerful constituency to lean on the
prosecutor. I've had a client who had an employee with root privs make
some extortionate demands after locking my client out of their
production boxes and deleting the threatening emails. The FBI couldn't
be bothered unless we could show the losses were >$100,000. So many of
these cases are just dealt with privately.

Finally, libel isn't criminal in most jurisdictions. It's a civil
action. Even then, it has to be the allegation of untrue, negative
_facts_. You're not alleging facts- you're stating an opinion that the
facts (as stated by Jester) are a criminal act.

No comments:

Post a Comment