Sophos Cloud Optix
A 38-year-old man from the US state of Wisconsin has been sentenced to two years of federal probation and will pay a $183,000 fine for taking part in a distributed denial of service (DDoS) attack organized under the Anonymous hacktivist brand.
Eric J. Rosol, of Black Creek, Wisconsin, pleaded guilty to one misdemeanor count of accessing a protected computer, the Department of Justice said in a statement.
US Attorney Barr Grissom said on 2 December that Rosol admitted to downloading a program called Low Orbit Ion Cannon (LOIC) – a tool that Anonymous has encouraged people to download so as to flood a targeted website with enough traffic to knock it senseless.
The target in this particular operation was Kochind.com, a web page of Koch Industries, which wound up going offline for 15 minutes because of the attack.
Koch Industries is an enormous, multinational corporation based in Wichita, Kansas, that has its fingers in all sorts of pies: manufacturing, refining and distribution of petroleum, chemicals, energy, fiber, intermediates and polymers, minerals, fertilizers, pulp and paper, chemical technology equipment, ranching, finance, and commodities trading.
For their part, the billionaire brothers Charles and David Koch – principals in Koch Industries – are the US’s sugar daddies when it comes to certain political causes.
The brothers have dispensed tens of millions of dollars to groups whose mission it is to end reproductive rights, and they were a key funding source for those who attempted to kill collective bargaining rights for public sector unions in Wisconsin in 2011.
It was the union-busting that got Anonymous to fire up the anti-Koch operation.
On 27 February 2011, Anonymous asked its followers to use the LOIC to attack a Koch Industries site, quiltednorthern.com.
The next day, Anonymous asked its followers to attack Kochind.com with the LOIC.
According to IT World, Rosol and the government agreed that the losses directly resulting from the 28 February attack on Kochind.com amounted to less than $5,000.
Koch Industries, however, argued that it had hired a consulting group to protect its websites at a cost of approximately $183,000, and therein lies the price explosion for 15 minutes of downtime.
Rosol could have been facing a maximum penalty of five years in federal prison and a fine up to $250,000 on each of the two original charges: one count of conspiracy to damage a protected computer and one count of damaging a protected computer.
While he’s off the hook for prison time and will instead only be on probation for two years, Rosol’s fine is being added to a growing list of what’s considered by many to be extraordinarily harsh penalties for computer crimes.
The most recent was the conviction of Jeremy Hammond, a US hacker and political activist who was sentenced in November 2013 to 10 years in US Federal Prison for the theft of 60,000 credit card numbers and the personal information of 860,000 customers of Stratfor through the whistle-blowing website Wikileaks.
Some efforts have been made to curb the charges used in such crimes, including Representative Zoe Lofgren’s proposal of the so-called “Aaron’s Law”.
Aaron’s Law was proposed as a means of changing the Computer Fraud and Abuse Act (CFAA) and the wire fraud statute – laws that formed the basis of 13 felony counts of hacking and wire fraud brought against internet activist Aaron Swartz, who apparently took his own life in the midst of federal prosecution.
The Electronic Frontier Foundation, for its part, considers Aaron’s Law to be a good starting point, but it continues to seek a more fundamental overhaul of the CFAA, including clarification of fuzzy language such as “unauthorized” access, as well as penalties that are more proportionate to offenses.
The charges against Swartz carried the possibility of decades in prison and devastating fines, just as Rosol faced the potential of years in prison and now must pay a crippling fine for his brief participation in the DDoS attack.
Rosol’s $183,000 fine amounts to $3,050 per second of the time that he reportedly spent on the attack. Broken down another way, it translates to $12,200 per minute the targeted site was down.
Was the fine excessive? I can imagine that most hackers might find it so.
Or do those who inflict mayhem deserve such stiff penalties? Perhaps many businesses that struggle to fight off attacks including DDoSes might say that cybercriminals deserve fines similar to that which Rosol is facing.
Please share your own thoughts in the comments section below.
Image of Anonymous mask courtesy of Bad Man Production / Shutterstock.com.
The $183,000 should have been pro-rataed based on the number of computers accessing the website vs his 1 computer.
Really, Eric J. Rosol, should sue the Union that encouraged him to commit illegal activities. Or the union encouragers should have been fined 10 times the amount. Typical union, over priced, under productive and many times corrupt. Especially gov’t unions a license to steal from tax payers.
If you are an adult I think you should read more carefully before ranting. Anonymous is a hacking organization not a union.
“It was the union-busting that got Anonymous to fire up the anti-Koch operation.
On 27 February 2011, Anonymous asked its followers to use the LOIC to attack a Koch Industries site, quiltednorthern.com.
The next day, Anonymous asked its followers to attack Kochind.com with the LOIC.”
You might need to get in the habit of reading articles twice, before commenting.
Don’t waste your time, Blake. “Ricky” has an agenda and us such is immune to logic and reason.
So does the author with the hysterical “end reproductive rights” newspeak.
@Blake. You didn’t read the original post very carefully. The poster argued that since unions had incited Anonymous (and hence Mr. Rosol) to attack the Koch website, that they were also responsible and should be fined. It’s implied that since they incited multiple attackers that they (the union) should be fined a greater amount.
“…should sue the Union that encouraged him to commit illegal activities” – substantially different than what you purport in your statement that he incited Anonymous & hence Mr Rosol
anonymous is pretty much a bunch of kids who like anime and social justice. DDoSing is pretty much just crouding an Apple store on black friday, except more like a political protest
Another way the plutocrats are screwing the plebeians.
Let’s see one of the bank CEO’s responsible for the economic crash lose the equivalent of three years of his personal salary – never gonna happen.
That’s right. Not only that, they even get bailed out by the gov for gambling with our money.
Were all on a sinking ship and no one is coming to save us
While you are on your sinking ship, I will take a moment to let you know that the correct spelling / grammar is “we’re” not “were”
Was the “access” really unauthorized if the site is open to the public?
I acknowledge that the term authorised access is a tricky one in many cases. However, the authority to access is given in terms of browsing the site for information as was the intention of the owner of this site. The hackers’ intention was to abuse the technical access with no intention to browse the information and to prevent others from their lawful authorised access.
That would seem to me to be a clear violation, certainly deserving of a serious penalty, though $183k is probably a bit on the high side. No doubt he will never pay it off, but in the meantime it should provide second thoughts for any others tempted to do the same.
It may be public but he wasn’t just hitting ‘refresh’ on his browser, he was using the LOIC (the Low Orbit Ion Cannon) and in so doing he made the manner of his access abundantly clear.
As individuals we have the freedom to choose which company’s products we purchase or use. Claiming political activism is not justification for damaging a company’s business by disrupting a website, or even worse crashing a company’s operating systems. To a company like Koch, which operates numerous chemical companies, the loss of operating software could endanger the lives of employees.and nearby residents.
Actions, even for one minute, have consequences, so hackers shouldn’t whine when they get caught and are held accountable.
If Koch has ANY critical systems which are net-facing and fragile enough to be taken down by a bunch of script kiddies then they should be facing criminal negligence charges.
It’s on par with putting your control valves outside the security fence in an unlocked, unlabelled box and should be prosecuted accordingly.
Maybe so, but if you damage those control valves are you not still a vandal?
Well spoken, Mark. Unfortunately for the intellectually challenged, “actions have consequences”. If you “can’t do the time, DON’T do the Crime”!
@Stoat – Koch’s philosophy is to buy off the shelf software, installed without customization, to eliminate the overhead of large IT departments. Now does that sound like a company seeking the highest level of security? Could your so called script kiddies stumble across a flaw and take down a network system?
I can’t say, but I am convinced responsibility for one’s actions begins with the individual. Don’t blame the victim for being victimized and don’t pursue activities which you don’t fully understand or are not prepared to be responsible for.
Kosh Bros. companies are for the most part invisible to the public. Do you know exactly where your steak comes from? Do you have a direct say where your municipality or county get’s its services or supplies? Can you tell which manufacturers of the products you use have Kosh chemicals in them? The excuse that the public must be the catalyst for change is a farce when dealing with insidiously corrupt industrialists who use government subsidies to manufacture consent and manipulate the system.
At this point in time the political system is for the most part bought, paid for and owned by the so called elite. It is and always will be the actions of political activists that shed light on the problems we face. To blame them for exposing issues and trying to enact change amounts to driving into death Valley, digging a small pointed hole in the ground, sticking your head into it and pulling the sand in over it.
The elite owns the media and controls it’s message therefore the chilling of political activism amounts to crippling the voice of opposition and silencing a form of free speech.
Your not against free speech are you?
well said
All this is going to result in, is more DDoS with better obfuscation (which let’s face it, isn’t hard to do).
What happens when a DDoS attack consists of hundreds of thousands (or millions) of hosts sending 1 SYN packet each, every 30 seconds?
At what point does the attack system get so hair trigger that someone sending a single ICMP PING ends up being investigated/prosecuted?
I’m not suggesting Koch are angels, and nor am I trying to downplay Anonymous, but this taking out easy targets with extreme prejudice “pour encourager les autres” is making martyrs and will eventually result in a large amount of blowback.
we have to be frightened, very very frightened
This guy should get a medal! They need to be shut down, and spending time in the Crowbar Hotel, for the benefit of humanity!
No, we don’t; have to be frightened… what’s scary has been with us for years.
Who cares, he committed a crime and now he’s paying the penalty.
Quoting the TV character Baretta; “If you can’t do the time, don’t do the crime.”
I see – so you have no objection to us changing the speeding laws so that 1 mile an hour over the limit, say 66 on the interstate, means they can seize can keep your car.
“Who cares, he committed a crime and now he’s paying the penalty. ”
This logic is terribly flawed and leads to tyranny. You do not even consider the option that perhaps what happened shouldn’t be a crime. Even accepting that it is a crime the punishment is a bit harsh. The people here in the US really need to wake up and spend some time thinking about our legal system. It is out of control.
What a weird fine. Was it that big of a crime? I see people who do really bad crimes all over the US who don’t get fined even 10% of that amount.
Such a one-sided approach taken through it all. Koch brothers didn’t hesitate to support what they desired, i.e. the attack on, and preferred removal of trade union collective bargaining rights. Because they have the financial ability to support such activity, is it correct for them to do this? If you agree, you have to follow that process through and accept that Mr Rosol has simply done the same thing, although his support was limited to his own personal time and actions rather than tens of millions of dollars of financial support to Anonymous or similar groups.
Ummm, it’s about property rights. The Koch brothers didn’t damage anyone else’s property. Mr. Rosol did.
He didn’t damage anything, simply took part in an action to prevent access. Too, to expect him to cover the cost of consultants who failed miserably to provide advice to prevent the site going down is laughable.
I’ve had a discussion on this blog about these types of posts in the past. I do not read this blog to be subjected to someone’s idea of what is right or wrong based on their political ideology. If I have to continue being subjected to what I consider political slander and nonsense, I will take my reading somewhere else.
Crime or not a crime, people will argue it every way, but I don’t get this part of the fine…
“Koch Industries, however, argued that it had hired a consulting group to protect its websites at a cost of approximately $183,000”
So this ‘Consultancy Group’ got paid $183,000 to protect Koch’s computers and didn’t do it? Whether we agree or not on Anonomous’ activities, what they have done is highlight to Koch that they paid $183,000 to a consultancy group that isn’t delivering what they charged for. If I was Koch I’d be asking for the money back from the consultancy group for failure to deliver.
If people have to pay for damage to computers and suffer prison time are we deluding ourselves thinking the US including the NSA will be coughing up cash for the Stuxnet virus?? Lead by eaxmple NSA, go to jail, go directly to jail, do not pass go, do not collect £200.
One sided me thinks :p
Clearly none of you have quoted out Prolexic in an emergency DDoS situation, they are not cheap for on demand protection during an attack pending on how many packets they were putting at them. Considering most small clean packages to have about 100Mb of clean traffic start at about $10k a month…
What an absolute joke of a penalty. It effectively enslaves him, as he will almost certainly be working it off for the rest of his life. This can be filed under “the evil of unjust laws”.
Yeah, but I don’t think he will do it again. Unless he’s a moron and learned nothing from the first experience.
The company should have been checked out by a security firm in the first place to make sure that their site was structurally sound. It seems like they ended up incurring costs because they were planning ahead and instead of footing the bill themselves found the opportunity to pass it on to someone else.
So.. DDOS, distributed denial of service. A simple analogy would be thousands of protesters gathering in front of Walmart, he stood among the protesters for one minute and then was arrested as the first person the police grabbed and was fined $183,000 because Walmart that’s how much it cost to hire a ton of security guards to make sure customers could come in and shop during the protest. He did not break the doors down nor did he assault anyone nor did he vandalize. He was just blocking access. Do you believe such an act warrants up to 5 years in a federal prison? Does that sound right?
Congrats for the dumbest comment of all time *Queue confetti*
Stop trying to justify crime by making poor metaphors. The overly punitive penalties many ‘anons’ (read: cowards) are receiving is deserved because they are doing their best to remain anonymous to avoid any penalties at all while doing what even they know is a crime. The only way to fight an enemy you can’t find is to make sure you make an example of the ones who do a shitty job of hiding.
What happens when a group starts doing the same thing, but targeting causes you actually agree with? Bet you won’t be making excuses for that group.
This is exactly right – sadly, people choose to see the parallels to real-world scenarios only when it is convenient, and ignore it when it does not suit their argument.
DDoS attacks should indeed be seen as protests, and the example you’ve given should make that very clear – obviously it’s still a crime, but the fine should reflect the severity.
It is unfortunate that what could have been such a great piece was tainted with such biased sources. The writer obviously disagrees with the Koch brothers’ support of certain causes, so she used the most extreme sources of questionable information to shore up her analysis of their activities.
The fine was extreme for this particular guy; regardless of how you feel about the Koch brothers or about Anonymous, this was one incident. They guy probably had no idea what exactly was going to happen, or the laws regarding it. He probably thought it was sort of like throwing a rock through the window of a store front.
No longer support XP? I got more then enough 3rd party security this operating system is way safer then it needs to be what the hell are you idiots worried about what OS I’M running to get on? Looks like you just want to force us onto the windows system that the Government wants everyone forced on BECAUSE it has so many more security holes to play with. Seriously like you REALLY cared if my computer got screwed because I came on here, Just so you know anyway, you’re a little late, it’s passed the 15 of November.
Maybe fines should be based on income. $182,000 could bankrupt one person but not even deter another.
They should be more proportional to the perp’s income and also the magnitude of the consequences on the victim, so for instance, in this case, the Koch Brothers earn $183,000 every 6 seconds, so it really wasn’t a big deal at all to them, so the guy should have gotten a slap on the wrist. Now if he had attacked a mom and pop shop that takes 3 months to earn that kind of money (but the loss wasn’t enough to put the business in jeopardy), the consequences should have been greater, and if he had attacked and individual that would take more than 2 years to make that kind of cash, then he should have been subjected to the harshest punishment.
I fail to see how saddling this guy with a debt that will take pretty much a lifetime to pay off any may send him into poverty and desperation will help society. Especially when his actions resulted in a loss to his victim equal to what they might find in their couch cushions. He might otherwise have been a contributing member of society!
What I really don’t understand is that the Koch Brothers have actually cost several people their lives with their polluting industry near Penn Road, but this guy cost them $5,000 (according to the company he attacked, $183,000 if you ask the bros) and he’ll be taking out a mortgage to pay for that mistake, possibly for the rest of his life.
So let me get this straight, the Koch Bros pollute a river, killing almost a dozen people, nothing happens, and this kid takes an action with at its worst cost the Koch Bros the amount of money they make in 6 seconds and he’s left footing the bill? Not only should fines be more proportional to the perpetrator’s income, but they should also reflect the victim’s income. In other words, the way our system is set up now, corporations and the rich can commit legal crimes which affect the lives of an individual or more, and nothing happens, but if someone does something to a corporation or a rich person, they risk spending their lives in jail or going bankrupt. I think you should only be punished for taking advantage of someone weaker than you. So an individual should be able to sue a company, but not vice versa, unless the results of that person’s actions put the company in serious jeopardy.
This is ridiculous. DDoS attacks are essentially peaceful protests, much like the sit-ins of the civil rights movement.
the constitution states that we have the right to organize labor unions therefore the koch brothers were in fact trying to infringe upon that right. it is the koch brothers who should be punished for attempting to take away our right to a union. after all if you knowingly deprive someone of their legal rights for no other reason than that of greed then you are the criminal. the constitution is the law of the land and if the koch brothers disobey it then they are breaking that law and thus become criminals. lets punish the right person or persons; the koch brothers