Sophos Cloud Optix
Four young Englishmen who went on an Anonymous rampage back in 2010 weren’t as anonymous as they might have hoped.
They were traced, identified and arrested.
We wrote at the end of 2011 that they’d been released on bail after being charged with running Distributed Denial of Service (DDoS) attacks against a number of high-profile payment processing companies.
PayPal, Mastercard and Visa ended up under the pump in the attacks, which were carried out in revenge for those companies refusing to process donations to controversial whistle-blowing outfit Wikileaks.
The fact that the DDoS might have prevented many other not-for-profit organisations from receiving donations as a side-effect didn’t seem to worry the attackers.
Interestingly, the judge who granted them bail didn’t ban them from using the internet during their temporary freedom, but he did place them under an unusual restriction: they weren’t allowed to use their online handles, or nicknames.
That probably wasn’t too onerous for Christopher Weatherhead, now 22, who had to stop going by “Nerdo”, nor for Ashley Rhodes, 28, who could no longer strut his stuff as “NikonElite”. But it might have been tricky for 24 year old Peter Gibson, who was apparently banned from calling himself “Peter”.
(It’s not clear if he had to go by the rather formal “Mr Gibson” instead, or if, paradoxically, he was permitted to adopt a pseudonym, provided it was one he hadn’t used before.)
All four pleaded guilty. Three have now been sentenced: Nerdo got 18 months, NikonElite got seven and Peter, also known as Peter, got a six month suspended sentence.
The fourth hacktivist, whom we now know to be Jake Birchall, was just 16 at the time of the offence and will be sentenced separately. He too was banned from using his nick while on bail, but the court never told us what it was.
You’ll find widespread reports suggesting that this attack alone cost PayPal £3.5 million (about $5.5 million), if you’re wondering just how harmful a DDoS can be for an online business.
You need to take this sort of damage figure with a pinch of salt – it seems to include the cost of precautions taken after the attack by PayPal that were an investment to protect the company into the future, so it seems a little counter-intuitive to include this in the retrospective cost of recovering from an attack.
But there is little doubt that the hacktivist quartet did, and intended to do, as much damage as they could. They’re said to have bragged on IRC, saying:
We have probably done some million pound of dmg to mc
(The word dmg, of course, means damage, while mc is shorthand for Mastercard.)
Now they get to regret.
Now this is starting to bother me so I'm going to just point it out: The point of virtually any protest is to cause monetary loss. That's why you stand in front of the actual stores or factories and harass the patrons or works as much as legally permissible. That's why boycotts are all about not using a particular company. Companies loose money because people don't buy the products, or because the workers don't come in to work.
DoS attacks should be categorized as free speech just like any other form of protest. And just like any other form of protest damage to the data should be as illegal as vandalism. But sending them to jail? Yes these companies lost lots of money, yes it inconvenienced other unrelated people. But that's the whole point. That has ALWAYS been the point. Suddenly doling out jail time for something that would be perfectly legal is done in person to me seems more totalitarian then anything.
Free speech means you can say what you want (though there are nevertheless limits – most countries that allow free expression also have fairly restrictive laws about vilification, libel, slander, and so forth, so you can't say *anything* you want).
Free speech doesn't mean you can do what you want.
A DDoS like this is more like a vehicle blockade or an unlawful picket, or a lawful protest march that gets out of hand and ends up intimidating bystanders and preventing them from enjoying their own lawful freedoms.
A DDoS is nothing like a boycott, either, which is where you persuade people to withdraw their custom from a business as a matter of individual conscience.
I wouldn't say that's actually true, for one DDos Attacks rarely last for longer then a few hours since websites can actively put a stop to it, which you'll notice you can't do in to a protest person. These credit card companies lost so much money in such a short amount of time because of how much money is handled in such a small amount of time. No because of how destructive the DDoS attack was. To any other website it was have been significantly less.
Besides, Can you honestly say, that if it was a physical building they wouldn't have lost the same amount of money? Of course it would have taken longer since only a percentage of people would have been intimidated, but if you kept it up until you got what you want then dose it matter how long it took?
It's not like business haven't gone under in the past because of protests in the past. So why should this be any different? How else should be protest wholly digital entities? How exactly does one go about protesting a server in Singapore pray tell?
Just because you want a DoS to be the equivalent of a peaceful protest, doesn't make it so. It's an absolutely bogus analogy. As Paul indicated, it is more like a blockade that prevents anyone from entering the store.
IMHO, they should have gotten more time. It seems to me too many of the generation y and younger have this sense of entitlement on the Internet that equates to being able to do whatever they want because they can. Then they use some bogus physical world analogy that makes about as much sense as the one proffered above.
Can you tell me actually how anyones “free speech” is related to usage of DDoS botnets (say, mine and your PCs) to do something?
While I see your point I believe it has a few flaws.
During a boycott or picket or any other physical form of protest, the crowd or individual can still make a reasoned decision to allow access to the physical building. A case in point would be protesting outside a bank. During a physical protest it would be very unlikely the crowd would stop a 90-year old woman from entering to draw her pension funds for the week. During an online DoS there is no such distinction…or even a chance for one.
If a paymaster for a small company was forced to enter the building to deposit funds or face losing his business, while not condoned or sanctioned by protestors it would again be unlikely that he was denied access. Again, DoS offers no such distinction. A DoS is more like building a wall around the building and forcing any who approach to retreat…there is no mental reasoning or evaluation that can take place.
The thing is, if they'd STOLEN even a fraction of that money, their term would have been much longer. It seems to me they got off quite easy. As you mentioned, it is not just the damage done to those companies, but to all those who depend on them. There were surely individuals in an emergency situation and NEEDED the use of their mastercard to take care of things (flight home to see a dying parent, or stranded with a car break down in the middle of no where, or picking up urgent prescriptions for a sick child at the drugstore). And certanly many worthy non-profits helping the less fortunate who did not receive donations because of this.
This is the same tunnel vision that keeps them from seeing the life-threatening danger they put so many in when they leak military intelligence. It is frightening to think what they are capable of, and how little regard they have for the irreversible damage they can do to those who cannot protect themselves from the "side effects" of their crimes.
Well said, Kathy!
Spot on, good job!
Shouldn’t that be anonymice?
Not-for profit organizations should not do business with PayPal, Mastercard or Visa anyway…
So how do they receive donations from donors who only use PayPal, Mastercard or Visa?
1. Most not-for-profits operate on a subscription model with standing orders. Ad hoc credit card donations are a small percentage. If the donations were not able to be processed I'm sure the donors would try again later. So, this argument that their actions affected NFP is specious.
2. Where are the examples of people dying or suffering because of this DDoS? There were many many transactions affected and there seems to be nothing in the media. Surely the daily mail could have found something?
3. These companies didn't lose this money. They have insurance. They may have lost their no-claims bonus. So, insurance companies lost – which is what they do – take the risk.
So, if I steal your car and joyride it until the engine seizes and then set it alight for the jolly good fun of it all…
…then as long as you're insured (and in many countries it's compulsory), I never stole it! It didn't cost anyone a thing! The "loss" was synthetic, because it's all built in to the system!
No-one died. No-one suffered. All good!
I responded to the hyperbole in the accusations of loss in the article. There was no moral aspect.
To be fair to me, which I intend to be because I *am* me, I simply said that "the fact that the DDoS might have prevented many other not-for-profit organisations from receiving donations as a side-effect didn't seem to worry the attackers."
Indeed, they didn't seem to care what happened to anyone else.
Not sure that amounts to "hyperbole in accusations of loss."
(Anyway, as for "hyperbole in the accusations of loss", you might at least acknowledge that I questioned the GBP3.5 million figure as including stuff that probably shouldn't have been added in. Perhaps you missed that bit?)
Scott wrote "1. Most not-for-profits operate on a subscription model with standing orders. Ad hoc credit card donations are a small percentage."
No. As the (volunteer, unpaid) president of the non-profit responsible for recovery from the 2011 North Carolina tornados, I can assure you that people only give to organizations like ours in the immediate wake of a disaster. Anmd they do it by PayPal on the websites and credit cards at the concerts and street fairs.
Scott continued" "If the donations were not able to be processed I'm sure the donors would try again later."
Nice if that were the case, but it's not. Donors have a very short memory.
I think it's telling that Anon attacked the FBI, the CIA, and now we are hearing they are about to commit The Biggest Wikileaks Ever. All this and no word of anonymous hackers being brought to trial, or the escapades the authorities went through to catch them for these antics. Rewind two years and Anon perform ONE DDoS against the money holders (Visa/Mastercard) and all hell breaks loose. It shows you who's really in charge and what matters to those who are in charge. I guess civil disobedience ceases to be acceptable when you start to threaten money in a tangible way (versus marching down Wall St.).
Are you suggesting that the reason there has only been one Anonymous-related arrest is because law enforcement don't care unless and until someone hacks a payment site?
Perhaps they do care, but just don't have enough evidence for any other arrests? (Rule of law, and all that.)
Or perhaps there *have* been other arrests?
http://nakedsecurity.sophos.com/2011/06/13/anonym…
http://nakedsecurity.sophos.com/2011/06/10/spanis…
http://nakedsecurity.sophos.com/2010/12/10/dutch-…
http://nakedsecurity.sophos.com/2011/07/20/arrest…
Sorry, but for the unwary whom are affected by a DDoS, this is not any kind of protest – they don't have a clue as to what's going on and/or why; all they know is that they can't use the website/service.
There's no free speech involved because nobody but the perpetrators of the DDoS are talking to anyone, publicly, about it before and/or during the actual attack.
As far as "putting a company out of business," as someone mentioned, let's just toss a b*#b in their building – that would, in effect, put most companies out of business, at least for a while. But, you know what? IT'S ILLEGAL!!! It's an attack.
DDoS's are essentially the equivalent – nothing but an attack. Unauthorized entry into a company's computer network is, at the very minimum, against MOST websites/companies ToS; and a lot of them state they will take legal action. I would, too.
You want to protest, get your signs out and go stand in front of the company. That's your legal right, within reason. DDoS is, and needs to be, illegal, to maintain some semblance of organization and operability of the Internet. Without those laws, imagine how chaotic and unusable the Internet would be.
I don't agree with so much with attacks on sites, however, I do believe in free information. At least I believed in what Wiki Leaks was doing. I realize it is a hot point. But most these countries are making decisions that represent their respective countries, and then lie to their own people about it. Then when we get into these wars and what not, we fight them and their is significant loss of life for reasons truly unknown. Most these companies are profiting from not only people, but governments and wartime situations. I think all information pertaining to your respected government should be freedom of information to the citizens of that country. Any denial of such information should be obtained by any means necessary and still not be categorized as being illegal. I realize most people would rather be in the dark, but that is just plain ignorance too. For example, if your child commits a crime, you are held responsible because they are not of legal age. Even though the child themselves could also be punished, my point is, the adult is also held responsible. We are all children of our respective countries leaders. But no one is keeping them in check, and we are paying the price for their crimes. And yes, they all commit vigorous amounts of crimes. As those who represent me, and that I am responsible to, I feel I should be entitled to know exactly how they are representing me and to what extent and doing what. But again, most choose to be blind…. so again, I agree with what wiki leaks was doing for the most part anyways. Not entirely though.
Shouldn't the headline say "anonymice"?
Too bad they got caught. PayPal deserves what they got. They are a bunch of discriminatory crooks. They froze my account because they didn't like what I was selling, which was completely legal. I don't think you can argue that ddos is free speech, but what I just said was free speech, and I will continue to speak out publicly against PayPal for their policies. As a publicly traded company (eBay subsidiary) they are doing their shareholders a disservice by picking and choosing the transactions they want to process.
I think that too many Americans, think that the first amendment also applies to England or to the rest of the world. The charge of denial of Freedom of Speech, as denoted here in the comments section does not apply in this story.
The young men are English citizens, and they were tried in England. Whereas our languages are really quite similar (except for the occasional extra vowel) the application of laws is not. You may not care for PayPal or Mastercard or Visa or even American Express but you also do not have the right to take the law into your own hands and fingers to close down any website. A DDos, is like any other spam or malicious trojan any other hack. If you don't like what is happening a physical protest works better, heck buy some stock and start going to every board meeting to complain. Any closing down of websites is illegal by private citizens.
future attacks are untraceable. so in making scapegoats of these individuals the authorities have driven the entire outfit into complete anonymity and a future where free internet no longer exists. the new two tier version of the internet is coming to a cable near you
Do we know how they got caught? Did they not use proxy (chains) or similar techniques?