Hacker fined with $183,000 for just one-Minute of DDoS attack!!!!

nestech

thehackernews.com

Eric Rosol, A 38-year-old hacker who joined an Anonymous hacker attack for just one minute has been sentenced to two years of federal probation and ordered to pay $183,000 fine.

Yes you read right! $183,000 fine for just 1 Minute of DDoS attack.
In 2011, Eric participated in a distributed denial-of-service (DDoS) attack organized by hacker collective Anonymous against the servers of Koch Industries.


The DDoS attack was organized in opposition to Koch Industries’ reported weakening of trade unions.


He used a software called a Low Orbit Ion Cannon Code, LOIC is a popular DDoS tool used by anonymous hackers and other hackers to perform the DDoS attack.


Rosol pleaded guilty and was agreed to direct pay for the losses as a result of the attack on the company website i.e. around $5,000 only, but Koch Industries had argued that it hired a consulting group to protect its web sites at a cost of approximately $183,000.


Unfortunately, the company website was knocked offline for just 15 minutes and now Eric has to pay the bill of the Cyber Security consulting group.


Similar crimes have also carried heavy punishments i.e. Jeremy Hammond, 28, Anonymous group member was sentenced last month to 10 years in prison for hacking various government agencies and a global intelligence company - Stratfor.

ratbuddy

If you can't do the time....

linuxlover

ratbuddy wrote: »

If you can't do the time....

Completely agree.

CoolAsAFan

What happens when a real life, legal protest is conducted properly outside of an organization? Does some form of DoS occur? Certainly, back in the day, customers would likely not do business with a company when they see dozens, hundreds, if not thousands of protesters with a clear message being demonstrated at the doorsteps of the place your trying to conduct your business. With many protesters, could it be considered a DDoS?

IMHO, protesting and demonstrations have only evolved into what is now a "hi-tech" form of their former selves. The principal is the same, company x does something illegal/unethical, so people unite to get the word out, make a stand, and hopefully make that company realize the error of their ways and maybe even fix what is broken. It's simply civil disobedience.

Now compare the fines and punishment for the two different forms of civil disobedience (old school vs modern), do you think it is justifiable?

If not for the like-minded people looking out for the better good of humanity, who would do it? Our government? When capitalism trumps decent human behavior, and when the people regulating the entities performing the atrocities are "in bed" together, what are the people to do?

I'm not saying that all these DDoS attacks are justified or that I even condone the use of LOIC or that I agree with Anonymous, but I certainly understand trying to make a stand to stand up for what is right and maybe, just maybe, make the world a better place.

/end rant

ratbuddy

I disagree with the analogy. Protesting is one thing, but once you start blocking the entrance, your protest becomes illegal, and you need to accept whatever legal consequences your behavior may bring.

DoubleNNs

But I doubt you'd be fined 183k for chaining yourself to the doors of a corporation for the 15 mins it took their security team to get power-tools strong enough to break thru the chains and have the police arrive to arrest you.

Dieg0M

DoubleNNs wrote: »

But I doubt you'd be fined 183k for chaining yourself to the doors of a corporation for the 15 mins it took their security team to get power-tools strong enough to break thru the chains and have the police arrive to arrest you.

And I doubt that chaining yourself to the doors of a corporation will have the same impact as a DDoS for 1 minute on this same corporation.

Z3-Masterd

ratbuddy wrote: »

I disagree with the analogy. Protesting is one thing, but once you start blocking the entrance, your protest becomes illegal, and you need to accept whatever legal consequences your behavior may bring.

Ratbuddy is correct. There's a difference in making noise from the sidelines and interfering with operations.

Mind you, I wish the attack would have crippled Koch's servers permanently. Did the guy launch the attack from his own registered IP? The article doesn't say.

DissonantData

The Koch Industries can get away with some of the unethical things they are doing because they aren't technically violating the law, but circumventing or getting around the law. Considering they have the capital and influence they are less likely to get punished, at least until they actually commit a crime.

I'm not exactly sure what laws the hacker broke. Can someone can give a list of them? Did he violate the Computer Fraud and Abuse Act?

nestech

DissonantData wrote: »

The Koch Industries can get away with some of the unethical things they are doing because they aren't technically violating the law, but circumventing or getting around the law. Considering they have the capital and influence they are less likely to get punished, at least until they actually commit a crime.

I'm not exactly sure what laws the hacker broke. Can someone can give a list of them? Did he violate the Computer Fraud and Abuse Act?

[h=3]Laws That May Apply to DDoS Attacks[/h] On the criminal side, the primary federal law that applies to most DDoS-related attacks is the Computer Fraud and Abuse Act, or 18 U.S.C. §1030.^[2]

^[2] United States Code, abbreviated as U.S.C., is the complete body of constantly revised laws defined at the federal level in the United States. It is divided into titles, then subdivided further into sections/subsections. 10 U.S.C means Title 10 of the United States Code. The symbol § stands for section/subsection. Titles and sections/subsections also have common names that identify them based on the legislation that created or amended them. So the complete reference to the Computer Fraud and Abuse Act, which is Title 10, Section 1030, would be 10 U.S.C. §1030. Subsections are further identified by subordinate letters and numbers in parentheses, so subsection a and sub-subsection 3 would be identified as 10 U.S.C. §1030(a)(3). For more information on United States Code, see U.S. Code : Table of Contents | U.S. Code | LII / Legal Information Institute.

An example of this law being applied to DoS attacks is the case of United States v. Dennis in the District of Alaska in 2001 URL="http://users.atw.hu/denialofservice/bib01.html#biblio01_211"]ws[/URL. In 2001, a former computer systems administrator in Alaska pled guilty to one misdemeanor count for launching three e-mail based DoS attacks against a server at the U.S. District Court in New York. He was charged under 18 U.S.C. §1030(a)(5) with "interfering with a government-owned communications system."
Other DDoS-related attacks mentioned elsewhere in this book, such as the extortion attempts against online gambling sites and online business, may fall under 18 U.S.C. §1030(a)(7), which covers extortionate threats. Analysis of a Congressional Research Service report URL="http://users.atw.hu/denialofservice/bib01.html#biblio01_081"]fra[/URL suggests such attacks may also violate

• 18 U.S.C. §1951 (extortion that affects commerce)
  
• 18 U.S.C. §875 (threats transmitted in interstate commerce)
  
• 18 U.S.C. §876 (mailing threatening communications)
  
• 18 U.S.C. §877 (mailing threatening communication from a foreign country)
  
• 18 U.S.C. §880 (receipt of the proceeds of extortion)

The act of breaking into hundreds or thousands of computers to install DDoS handlers and agents may violate 18 U.S.C. §1030(a)(3) (trespassing in a government computer). If a sniffer is used to obtain passwords as part of this activity, the attacker may have violated 18 U.S.C. §1030(a)(6) (trafficking in passwords for a government owned computer) or 18 U.S.C. §2510 (wiretap statute).
Even an attempt to violate any of the sections of 18 U.S.C. §1030 listed above is itself a violation of 18 U.S.C. §1030(b).
On the civil side, 18 U.S.C. §1030(g) creates a civil cause of action for violation of subsection (a)(5)(B), which includes any of the following:

• Loss to one or more persons during any one-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting one or more other protected computers) aggregating at least $5,000 in value.
  
  
• The modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of one or more individuals.
  
  
• Physical injury to any person.
  
  
• A threat to public health or safety.
  
  
• Damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security.
  

Damages include only economic damages, and the civil action must be brought within two years of the act or when the damage was discovered.
Another civil action surrounding a DDoS attack against a business, which prevents customers from engaging in business with the victim and thus damages its business, would be "Tortious Interference with Business Relationship or Expectancy." To prove this, the plaintiff (the DDoS victim) would have to show several things, including such elements as knowledge of the business relationship between the victim and its customers, knowledge that the action (the DDoS attack) would disrupt this relationship, knowledge that the result would cause damage to the victim, proof that the defendant caused such disruption and damage, and proof that the victim has suffered a loss. (Here is where careful evidence collection and realistic incident cost estimation become very important.)
The Department of Justice Cybercrime Web site URL="http://users.atw.hu/denialofservice/bib01.html#biblio01_081"]fra[/URL also lists these laws as applying to computer intrusion cases:

• 18 U.S.C. §1029 (fraud and related activity in connection with access devices)
  
• 18 U.S.C. §1362 (communication lines, stations, or systems)
  
• 18 U.S.C. §2510 et seq. (wire and electronic communications interception and interception of oral communications)
  
• 18 U.S.C. §2701 et seq. (stored wire and electronic communications and transactional records access)
  
• 18 U.S.C. §3121 et seq. (recording of dialing, routing, addressing, and signaling information)

This is a representative, yet not exhaustive, list of laws that may apply. Readers are urged to consult with an attorney and local/federal law enforcement agencies in their jurisdiction in order to learn more about what legal options exist in the event of a DDoS attack, and how to prepare to exercise these options when and if a DDoS attack occurs. It is also important to understand your responsibilities and potential liabilities in the event that your own systems are taken over and used to attack someone else, in which case you may be the defendant, not the plaintiff, in a civil suit.

YFZblu

Z3-Masterd wrote: »

Did the guy launch the attack from his own registered IP? The article doesn't say.

Probably - He used LOIC though, so it's not like he spearheaded / masterminded this thing....he just joined the DDOS with thousands of others who were doing the exact same thing.

Dieg0M wrote: »

And I doubt that chaining yourself to the doors of a corporation will have the same impact as a DDoS for 1 minute on this same corporation.

In terms of impact, it was determined one minute of downtime would cost the business less than $5,000 - The ~180,000 dollars stems from the infosec consulting Koch purchased to "protect their websites".

Overall, CFAA penalties can be mind-bogglingly harsh and unnecessary. But ultimately this guy shouldn't have done it; it's an extremly stupid thing to do regardless of the dollar amount he will be fined.

tpatt100

He got caught so if he wants a reduced amount I am sure everybody else involved will turn themselves in and offer to split the penalty lol.....

olaHalo

How did he got caught?
Out of however many participants why is he singled out?
Also I didnt realize people actually used LOIC...

Good read thank you. And I enjoy the debate in this thread.

jvrlopez

He knew what he was doing.

CoolAsAFan

Z3-Masterd wrote: »

Ratbuddy is correct. There's a difference in making noise from the sidelines and interfering with operations.

I agree with you guys here, but at the same time, what should people do when their government is protecting corporations under the guise of corporations being people and being granted the same, if not more, rights?

Did the major US banks not cause a massive DDoS on all of our money (taxes to bail them out)? Our credit? Our jobs? (again a loose analogy, probably wrong, but you get my point)? What was their punishment? To give them millions of OUR money and say, "hey guys, play nice!"

I read an article the other day where they are trying to push a bill to deregulate derivative trading...you know the stuff that basically caused the recession! It is much like how a bill was introduced (maybe passed?) about putting Monsanto outside of US legal jurisdiction, and its a US-based company!

People are just pissed, especially at our gov't, and they just need a way to demonstrate it. Unfortunately, it is much easier to download a program and fire it up versus the other alternate means of protest.

olaHalo wrote: »

Also I didnt realize people actually used LOIC...

I guess Anon is still pushing LOIC pretty hard. I checked an old email account where they are still emailing people about their new ops, recently in Ukraine, and at the bottom it says something to the effect, "Fire up those cannons!" lol.

antielvis

I disagree he knew what he was doing. Any person with a basic understanding of computing knows that using LOIC without sometype of VPN is going to guarantee you likely get arrested. When you install LOIC it also adds you to the botnet. If you follow hacking culture you'd know that LOIC users are seen as "skids" which I doubt I have to define.

The penalty issued seems rather steep and, imo, is likely due to Koch having a well paid legal team. It's akin to a judge charging someone for cost of physical security at a corporate building because they broke in. I'm by no means condoning hacking but I find the penalities rather harsh especially when compared to other crimes.

I think CoolAsAFan hit it on the head when he said it is a form of protest. I sense a lot of frustration in the USA over the heavy handed nature of the government and major business. Americans seem to feel cornered as the constitution that built the nation gets stepped on & they have little recourse. When people get angry enough at something they'll go ahead and break the law.

tprice5

antielvis wrote: »

I disagree he knew what he was doing.

He may have known that what he was doing was wrong but I highly doubt he was aware of the possible ramifications. These sentences are completely ridiculous. It pisses me off and it should you too. A citizen had his life ruined by the hand of our government, and for what?

Edit: I misread your statement, apologies. You're correct. Everyone know's using LOIC in the open is suicide.

antielvis wrote: »

It's akin to a judge charging someone for cost of physical security at a corporate building because they broke in.

I have literally never heard of this happening.

antielvis wrote: »

I sense a lot of frustration in the USA over the heavy handed nature of the government and major business. Americans seem to feel cornered as the constitution that built the nation gets stepped on & they have little recourse. When people get angry enough at something they'll go ahead and break the law.

Indeed.

nestech

Okay I have a question for everyone who had something to add to this post. What if this was your place of employment and because of this attack you got fired... Would you all still feel like the punishment was too much?

jibbajabba

tprice5 wrote: »

A citizen had his life ruined by the hand of our government, and for what?

For causing $183k of damage. The fine is not to proof a point, the fine is to pay for the bill it cost them to fix the problems he has caused. Put yourself in the companies shoes. You got a company, you get cyber attacked and you are out of pocket - would you feel sorry for the attacker if he gets fined to pay your bill causing him being in debt for the rest of his life ? No, you wouldn't care now would you.

I used to work in an online casino which got attacked by a group of 2 - the damage : $670k in loss of revenue alone, not included the man hours or related technical costs.

What you are saying now is that they shouldn't get fined for that and pay the damages because hey won't be able to afford paying for it ?

Just because you don't know what consequences it has, it makes it any better. Otherwise you could argue that driving drunk isn't too bad because you are unable to think straight and therefore won't realize / know the consequences, you shouldn't be punished for any damage you may cause, right ?

tprice5

nestech wrote: »

Rosol pleaded guilty and was agreed to direct pay for the losses as a result of the attack on the company website i.e. around $5,000 only, but Koch Industries had argued that it hired a consulting group to protect its web sites at a cost of approximately $183,000.

jibbajabba wrote: »

For causing $183k of damage.

He was only a participating party of an event that caused $5,000.00 in damage. He did not cause $183,000.00. Your argument is completely invalid.

He should absolutely be 100% liable for every bit of damage caused. Now it did not say whether the security consulting firm was hired before or after the incident, but either way, it would be a huge reach, judicially speaking, to make him foot the bill for everything the company did to harden its assets.

Ya know, my house could really use a new surveillance system, fence and locks. I sure do hope a burglar gets in at some point so the judge can make him buy me all nice new things.

jibbajabba wrote: »

Otherwise you could argue that driving drunk isn't too bad because you are unable to think straight and therefore won't realize / know the consequences, you shouldn't be punished for any damage you may cause, right ?

This doesn't even deserve a response.

stryder144

The only thing that burns me about this case is that he wasn't the only one to participate in the attack; he appears to be the only one that they caught. He shouldn't have to pay the entire bill, just a portion of it. If anything, he should have to pay the agreed upon $5k plus 1/15th the price of the consultant, or a bit north of $17k total. In my opinion, the damage award is not proportionate to his part in the crime.

tprice5

stryder144 wrote: »

He shouldn't have to pay the entire bill, just a portion of it. If anything, he should have to pay the agreed upon $5k plus 1/15th the price of the consultant, or a bit north of $17k total. In my opinion, the damage award is not proportionate to his part in the crime.

I can get on board with $17k.

dave330i

stryder144 wrote: »

The only thing that burns me about this case is that he wasn't the only one to participate in the attack; he appears to be the only one that they caught. He shouldn't have to pay the entire bill, just a portion of it. If anything, he should have to pay the agreed upon $5k plus 1/15th the price of the consultant, or a bit north of $17k total. In my opinion, the damage award is not proportionate to his part in the crime.

By that reasoning, if n people commit a murder, then the 1 person they catch should only serve 1/n life sentence.

dave330i

antielvis wrote: »

I think CoolAsAFan hit it on the head when he said it is a form of protest. I sense a lot of frustration in the USA over the heavy handed nature of the government and major business. Americans seem to feel cornered as the constitution that built the nation gets stepped on & they have little recourse. When people get angry enough at something they'll go ahead and break the law.

McVeigh blew up a federal building as a form of protest. Does that justify his action?

bermovick

Strawman argument.

the_Grinch

I dislike the use of the term hacker here. I watched a documentary where they interviewed this gentleman (prior to the trial) and from that you'd know his skills stopped at downloading the tool and clicking a button. I agree do the crime you gotta do the time and pay the fine. This isn't too much different then the fines levied by the legal system in the cases of music downloads. Share five songs and you're paying the RIAA over $100,000. I'm all for protesting and I agree this company is crap. But as others have stated, when you take your protest into the cyber arena the effects are compounded much more then in the kinetic world.

Write letters, stand outside with a sign, blog, etc to get the message out about your cause. There are proper channels and methods that can be utilized for such things. In this case, they choose the wrong way.

tprice5

bermovick wrote: »

Strawman argument.

+1

........... <-- character requirement

CoolAsAFan

the_Grinch wrote: »

I dislike the use of the term hacker here......
Write letters, stand outside with a sign, blog, etc to get the message out about your cause. There are proper channels and methods that can be utilized for such things. In this case, they choose the wrong way.

I completely agree about the misuse of the term hacker. But in reality, this term had been misused as a blanket derogatory term since the 1980's (i think?) and the whole hacker culture has been misrepresented since then as well. Sure, in our world, he is just another script kiddie. But in the layman world, a hacker is a hacker is a hacker...anyone been to NA/AA lol?

I kind of agree with your second statement, but just to an extent. I still feel like that because of the internet, protesting has evolved, along with everything else that has evolved because of the internet. I mean pretty much ALL successful business models had to change with the internet or be left behind. I think modern protesting is no different, but we just haven't quite figured out the most optimal way to express a message, while still being in accordance with mans written laws. (I'm not even going to touch whether these laws are right/wrong.) All that being said, I don't think using tools like LOIC is sustainable for protesting either, but it is definitely a start to modern protesting on the internet in the information age.

This thread has been very interesting and fun. Just another reason why TE is the best!

MSP-IT

It almost seems like Koch Industries could almost be accused of technical negligence. If a company knew that there was a threat of such activities, it should be their responsibility to safeguard against such activities. Though hell, if they can cover their behind after the fact and send the bill to any individual identified in the attack, I could see this type of thing becoming a commonplace; they can gain from their blatant ignorance.

tpatt100

I don't see this as a form of protesting but more a method of shutting a business down. Defacing a website as a form of protest is still a form of vandalism but I would probably just call it vandalism since it requires somebody to "clean up" the mess.

Due to search engines in general updating search results due to trends in searches online protesting has it's advantages over physical protests. Online protests can generate social media interest, blog coverage and traditional media coverage if it is big enough. This causes a "Google Problem" where people wanting to research a product will probably see something about the protest and why there are protests right above or right under the website for the company they are looking for.

Physical protests work also but it requires way more work and dedication where as in the digital age, search results can be a big problem for companies.

antielvis

@tpatt

Vandalism is a good way to refer it. It's an eyesore and an annoyance, but definitely not hacking. I wouldn't even classify it as script kiddie stuff. You download LOIC, you key in the website and press go. My mom has that capability. I also question the 183K. A DDoS is a bunch of packets which overwhelm your router. Exactly what cost 183K to fix? Cloudflare and Black Lotus don't cost that much.

To the guy who said something about Tim McViegh. C'mon man, that guy was a terrorist. This guy was a vandal, and to some a protester.